On Wed, Dec 12, 2018 at 9:28 AM Stuempfig, Thomas
<thomas.stuempfig_at_siemens.com> wrote:
>
> Hi Brane,
>
> sorry i cannot post the contents of VisualSVN-WinAuthz.ini file since it is company security related.
> I will take some time to setup a separate Demo LDAP, but this will take some time.
>
> But basically my observation is
>
> 1) You have ldap group "GroupA"
> 2) Within that group you have users user_a and user_b (memberOf Attribute)
>
> now
> 3) you setup your repo authz file
> *****************************
> [/]
> user_a rw
> GroupA rw
> *****************************
>
> (I explicity do not include something like Group_A=user_a,user_b and set @Group_A rw in authz file as this would duplicate ldap definition
> of Group membership)
>
> svnauthz gives "rw" for user_a and "Result no" for user_b
>
>
>
> my guess is that svnauthz does not evaluate the actual ldap info and ony cares about groups defined in authz file whereas "svn --username .. ." does authenticate with the ldap-group. If I am thinking about the svnauthz commandline, svnauthz has no information about the ldap connection which sits in apache httpd.conf.
>
Okay, it seems there is some misunderstanding here. First of all,
"core" svn does not by itself have support for LDAP groups for
authorization. Indeed, it only looks at groups that are defined in the
authz file itself.
The VisualSVN-WinAuthz.ini file is an extra feature developed by
VisualSVN, on top of "core" svn. So indeed, the svnauthz commandline
tool does not know about those groups.
To get some help on using / validating the VisualSVN-WinAuthz.ini
file, you'll have to reach out to VisualSVN people (some of them are
reading this list too, so they might be able to comment further here).
--
Johan
Received on 2018-12-12 11:21:58 CET