[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Check Path based authorization

From: Branko Čibej <brane_at_apache.org>
Date: Wed, 12 Dec 2018 13:59:24 +0100

[Please do not top-post on this list.]

On 12.12.2018 09:25, Stuempfig, Thomas wrote:
> Hi Brane,
>
> sorry i cannot post the contents of VisualSVN-WinAuthz.ini file since it is company security related.
> I will take some time to setup a separate Demo LDAP, but this will take some time.
>
> But basically my observation is
>
> 1) You have ldap group "GroupA"
> 2) Within that group you have users user_a and user_b (memberOf Attribute)
>
> now
> 3) you setup your repo authz file
> *****************************
> [/]
> user_a rw
> GroupA rw
> *****************************
>
> (I explicity do not include something like Group_A=user_a,user_b and set @Group_A rw in authz file as this would duplicate ldap definition
> of Group membership)
>
> svnauthz gives "rw" for user_a and "Result no" for user_b
>
>
>
> my guess is that svnauthz does not evaluate the actual ldap info and ony cares about groups defined in authz file whereas "svn --username .. ." does authenticate with the ldap-group. If I am thinking about the svnauthz commandline, svnauthz has no information about the ldap connection which sits in apache httpd.conf.

As Johan already wrote, Subversion does not look anywhere but in its
authorisation files for group definitions. Not LDAP, nor AD, nor any
other group directory. If your groups are defined in LDAP, then you very
likely already have a tool that extracts them from there into the proper
format for Subversion; in that case, all you need to do is tell svnauthz
about that file, see the '--groups-file' option.

-- Brane

> -----Original Message-----
> From: Branko Čibej [mailto:brane_at_apache.org]
> Sent: Dienstag, 11. Dezember 2018 20:54
> To: Stuempfig, Thomas (DF PL S&SE DE PSM EAI) <thomas.stuempfig_at_siemens.com>; users_at_subversion.apache.org
> Subject: Re: Check Path based authorization
>
> On 11.12.2018 18:40, Stuempfig, Thomas wrote:
>> Hi Brane,
>> well after testing the tool does not actually do what i would like. But it is giving me a starting point / work around.
>> I tested the tool with Visualsvn Server on windows
>>
>>
>> Steps to reproduce
>> 1) configure basic windows authentication
>>
>> 2) grant" rw" access to the repository root path for AD group
>> Visualsvn server places the objectSid
>> S-1-1-11-111111111-111111111-11111111-11111 of the group in the
>> VisualSVN-WinAuthz.ini file of the repository
>>
>> 3) svnauthz.exe accessof --username S-2-2-22-222222222-22222222-222222222-22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini
>> Where username is a member of the AD group objectSid
>> S-1-1-11-111111111-111111111-11111111-11111
>> Result no
>>
>> But
>> 4) svnauthz.exe accessof --username
>> S-1-1-11-111111111-111111111-11111111-11111 22222
>> d:\repositories\test\conf\VisualSVN-WinAuthz.ini
>> Gives "rw"
> I really have no idea what the WinAuthz.ini file is and what VisualSVN does with it. It's impossible to say if your result is expected if we don't see the contents of the authz file.
>
> But yes, 'svnauthz' will calculate access for users, not for groups. A user can be a member of several groups and the actual rights she has can be a combination of rights granted to the groups.
>
> -- Brane
>
> -----------------
> Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht: Amtsgericht Köln, HRB 84564
Received on 2018-12-12 13:59:33 CET

This is an archived mail posted to the Subversion Users mailing list.