[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive

From: Branko Čibej <brane_at_apache.org>
Date: Sat, 2 Sep 2017 14:07:03 +0200

On 02.09.2017 03:50, Kedar Sirshikar (ksirshik) wrote:
> Hi Brane,
> I tried to follow your suggestions. Please refer attached latest
> version of ‘subversion.conf’
> 1.       I updated my subversion.conf to include
> ‘AuthLDAPGroupAttribute’ attribute. Its value is set to cn as cn
> attribute has the group name (to which user is assigned)

AuthLDAPGroupAttribute is the name of the group's member list attribute,
not the user's primary group attribute.

> Is there any way I can check for logs? If I get some relevant logs, I
> myself can dig down more.

You should have Apache server logs available. If they're not detailed
enough, you can increase the log verbosity.

> I came across below 2 urls which claim that it is not possible to get
> rid of AuthzSVNAccessFile directive and you must use a file to
> configure groups and users.
> http://grokbase.com/t/subversion/users/1477dcf8yc/how-to-control-access-of-a-subversion-repo-subfolder-via-ad-groups/oldest#responses_tab_top
> https://github.com/whitlockjc/sync-ldap-groups-to-svn-authz
> Now, I am little confused about whether it is really possible (or not)
> to fully avoid configuring groups and user names in a separate file.

That depends on what you want to do. If you only want to control
read-only vs. read-write access to the whole repository, you can do that
in the Apache config, as I showed you. If you want more fine-grained
access control, that's what the Subversion authz file is for. If you
want to do that per-user, then you will have to define users (and/or
groups) in that file. And yes, there are tools out there for
automatically generating user and group lists for the Subversion authz
file from LDAP.

-- Brane
Received on 2017-09-02 14:07:10 CEST

This is an archived mail posted to the Subversion Users mailing list.