RE: Check Path based authorization

From: Stuempfig, Thomas <thomas.stuempfig_at_siemens.com>
Date: Wed, 12 Dec 2018 08:25:15 +0000

Hi Brane,

sorry i cannot post the contents of VisualSVN-WinAuthz.ini file since it is company security related.
I will take some time to setup a separate Demo LDAP, but this will take some time.

But basically my observation is

1) You have ldap group "GroupA"
2) Within that group you have users user_a and user_b (memberOf Attribute)

now
3) you setup your repo authz file
*****************************
[/]
user_a rw
GroupA rw
*****************************

(I explicity do not include something like Group_A=user_a,user_b and set @Group_A rw in authz file as this would duplicate ldap definition
of Group membership)

svnauthz gives "rw" for user_a and "Result no" for user_b

my guess is that svnauthz does not evaluate the actual ldap info and ony cares about groups defined in authz file whereas "svn --username .. ." does authenticate with the ldap-group. If I am thinking about the svnauthz commandline, svnauthz has no information about the ldap connection which sits in apache httpd.conf.

regards
Thomas

-----Original Message-----
From: Branko Čibej [mailto:brane_at_apache.org]
Sent: Dienstag, 11. Dezember 2018 20:54
To: Stuempfig, Thomas (DF PL S&SE DE PSM EAI) <thomas.stuempfig_at_siemens.com>; users_at_subversion.apache.org
Subject: Re: Check Path based authorization

On 11.12.2018 18:40, Stuempfig, Thomas wrote:
> Hi Brane,
> well after testing the tool does not actually do what i would like. But it is giving me a starting point / work around.
> I tested the tool with Visualsvn Server on windows
>
>
> Steps to reproduce
> 1) configure basic windows authentication
>
> 2) grant" rw" access to the repository root path for AD group
> Visualsvn server places the objectSid
> S-1-1-11-111111111-111111111-11111111-11111 of the group in the
> VisualSVN-WinAuthz.ini file of the repository
>
> 3) svnauthz.exe accessof --username S-2-2-22-222222222-22222222-222222222-22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini
> Where username is a member of the AD group objectSid
> S-1-1-11-111111111-111111111-11111111-11111
> Result no
>
> But
> 4) svnauthz.exe accessof --username
> S-1-1-11-111111111-111111111-11111111-11111 22222
> d:\repositories\test\conf\VisualSVN-WinAuthz.ini
> Gives "rw"

I really have no idea what the WinAuthz.ini file is and what VisualSVN does with it. It's impossible to say if your result is expected if we don't see the contents of the authz file.

But yes, 'svnauthz' will calculate access for users, not for groups. A user can be a member of several groups and the actual rights she has can be a combination of rights granted to the groups.

-- Brane

-----------------
Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht: Amtsgericht Köln, HRB 84564
Received on 2018-12-12 09:28:19 CET

This message: [ Message body ]
Next message: Thorsten Schöning: "Are my repos properly using ZLIB compression level 9?"
Previous message: Branko Čibej: "Re: Check Path based authorization"
In reply to: Branko Čibej: "Re: Check Path based authorization"
Next in thread: Johan Corveleyn: "Re: Check Path based authorization"
Reply: Johan Corveleyn: "Re: Check Path based authorization"
Reply: Branko Čibej: "Re: Check Path based authorization"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]