httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Todd, David" <dt...@irobot.com>
Subject [users@httpd] Viewvc, kerberos and Location directives, an ordering problem?
Date Tue, 05 Feb 2008 14:58:11 GMT
I am trying to use viewvc to let my users browse the code base in our svn
repositories. We have a number of them.

Some of them must have restricted access, but at the same time, want to be
in a hierarchy with others that have a different access group.

The authentication takes place using kerberos. I doubt that's involved, but
I mention it just in case.

This is on an apache 2.0.52 server, on RHEL4.

I have two locations:

   <Location ~ "/viewvc/gni/?.*">
     AllowOverride None
     AuthType Kerberos
     AuthGroupFile /svn/conf/htgroup
     KrbAuthRealms WARDROBE.IROBOT.COM
     KrbSaveCredentials On
     KrbVerifyKDC Off
     KrbAppendRealm Off
     Krb5Keytab /svn/www/http.keytab
     KrbServiceName HTTP
     AuthName "iRobot Subversion Repository"
         Order deny,allow
     Satisfy All
     Require group gniuser
   </Location>     

   <Location ~ "/viewvc/gni/res/?.*">
     AllowOverride None
     AuthType Kerberos
     AuthGroupFile /svn/conf/htgroup
     KrbAuthRealms WARDROBE.IROBOT.COM
     KrbSaveCredentials On
     KrbVerifyKDC Off
     KrbAppendRealm Off
     Krb5Keytab /svn/www/http.keytab
     KrbServiceName HTTP
     AuthName "iRobot Subversion Repository"
         Order deny,allow
     Satisfy All
     Require group res
   </Location>     


I have two groups gniuser, and res, which is a subset of gniuser. Everyone
in res is in gniuser.

If I have these in the order presented (General, then specific), people on
the res group have no access at all. If I reverse the order, they have total
access, like others in gniuser.

I'm using locations because the actual access is via viewvc, a cgi script.

How do I set it up so that res can be in the the gni directory, but have a
restricted set of users?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message