On 02.09.2017 03:50, Kedar Sirshikar (ksirshik) wrote:
>
> Hi Brane,
>
> I tried to follow your suggestions. Please refer attached latest
> version of ‘subversion.conf’
>
> 1. I updated my subversion.conf to include
> ‘AuthLDAPGroupAttribute’ attribute. Its value is set to cn as cn
> attribute has the group name (to which user is assigned)
>
AuthLDAPGroupAttribute is the name of the group's member list attribute,
not the user's primary group attribute.
> Is there any way I can check for logs? If I get some relevant logs, I
> myself can dig down more.
>
You should have Apache server logs available. If they're not detailed
enough, you can increase the log verbosity.
> I came across below 2 urls which claim that it is not possible to get
> rid of AuthzSVNAccessFile directive and you must use a file to
> configure groups and users.
>
> http://grokbase.com/t/subversion/users/1477dcf8yc/how-to-control-access-of-a-subversion-repo-subfolder-via-ad-groups/oldest#responses_tab_top
>
> https://github.com/whitlockjc/sync-ldap-groups-to-svn-authz
>
>
>
> Now, I am little confused about whether it is really possible (or not)
> to fully avoid configuring groups and user names in a separate file.
>
That depends on what you want to do. If you only want to control
read-only vs. read-write access to the whole repository, you can do that
in the Apache config, as I showed you. If you want more fine-grained
access control, that's what the Subversion authz file is for. If you
want to do that per-user, then you will have to define users (and/or
groups) in that file. And yes, there are tools out there for
automatically generating user and group lists for the Subversion authz
file from LDAP.
-- Brane
Received on 2017-09-02 14:07:10 CEST