subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lee Kaufman" <lee.kauf...@transmetric.com>
Subject RE: LDAP Group Configuration in AuthzSVNAccessFile
Date Thu, 01 Apr 2010 14:39:40 GMT
Thank you for your help but I think you may have misunderstood my question.
In your previous email where you showed the content of your
AuthzSVNAccessFile file as.  What I am looking for is to be able to is where
you say 

[groups]
developers = Giulio Troccoli, Harpal Panesar

I want to be able to say 
developers = CN=*****,OU=Security Groups,... A group I have defined in LDAP.

The groups and user permissions are already defined for other applications
and services and I do not want to have to manage them in LDAP and SVN.  Know
of any way of doing that?


-----Original Message-----
From: Giulio Troccoli [mailto:Giulio.Troccoli@uk.linedata.com] 
Sent: Thursday, April 01, 2010 9:16 AM
To: 'Lee Kaufman'
Cc: 'users@subversion.apache.org'
Subject: RE: LDAP Group Configuration in AuthzSVNAccessFile

> -----Original Message-----
> From: Lee Kaufman [mailto:lee.kaufman@transmetric.com] 
> Sent: 01 April 2010 14:57
> To: Giulio Troccoli
> Subject: RE: LDAP Group Configuration in AuthzSVNAccessFile
> 
> Right but how do I define that group as a LDAP group e.g.
> CN=hasReadWrite,DN=groups,DN=myDomain?
> 
This is the full config (sensitive information has been replaced by
********)

##
## Define the alias of LDAP authentication
##
<AuthnProviderAlias ldap ldap-test>
   AuthLDAPURL "ldap://*******/OU=Users,OU=London,OU=North
Europe,OU=Regional,DC=ad,DC=linedata,DC=com?SAMAccountName,name?sub?(objectC
lass=*)"
   AuthLDAPBindDN "CN=SA_Subversion,OU=Service
Accounts,OU=Global,DC=ad,DC=linedata,DC=com"
   AuthLDAPBindPassword ********
   AuthzLDAPAuthoritative off
   AuthLDAPRemoteUserAttribute name
</AuthnProviderAlias>

##
## Define the alias for SVN Admins authentication
##
<AuthnProviderAlias file svn-admins>
   AuthUserFile /usr/local/apache2/etc/svn-admin.passwd
</AuthnProviderAlias>

<Location /svn-test>
   DAV svn
   SVNPath /data/TestRepositories/svn-test

   # Name of the repository
   AuthName "Subversion Testing Repository"

   # What authentication to use
   AuthType Basic
   AuthBasicProvider ldap-test svn-admins file

   # How to authenticate extra people
   AuthUserFile /usr/local/apache2/etc/svn-test.passwd

   # Always requier an authenticated user
   #Allow from all
   Order deny,allow
   Require valid-user

   # Access Control Policy
   AuthzSVNAccessFile /usr/local/apache2/etc/svn-test.access
</Location>



> -----Original Message-----
> From: Giulio Troccoli [mailto:Giulio.Troccoli@uk.linedata.com]
> Sent: Thursday, April 01, 2010 2:42 AM
> To: 'Stefan Sperling'; 'Aaron Turner'
> Cc: 'Lee Kaufman'; users@subversion.apache.org
> Subject: RE: LDAP Group Configuration in AuthzSVNAccessFile
> 
> > > > I have been set the task of setting up SVN and connecting 
> > > > Authentication and Authorization to our MS Active
> > Directory system.
> > > > The SVN is now running on a Debian Linux server.  I have 
> > > > successfully set up Authenticated to authenticate users 
> who have 
> > > > access to the SVN system based on a Security Group in our AD.
> > > >
> > > > The next task is where I am encountering the difficulty is in 
> > > > Authorizing individual users to read and write to the 
> individual 
> > > > repositories.  From what I have seen I need I to do this
> > I need a AuthzSVNAccessFile file.
> > > > However I have not been able to find any documentation 
> on how to 
> > > > accomplish this using AD groups.  Below is a simple example.
> > >
> > > Last time I checked, you can't do authorization via 
> LDAP/AD.  Just 
> > > authentication.  Hence the lack of documentation on the subject.
> >
> > Various wrapper scripts exist which generate an authz rules 
> file from 
> > data pulled from LDAP/AD directories. I agree that it would 
> be nice to 
> > have built-in support for this in mod_authz_svn though.
> >
> 
> Few months ago I was experimenting with this and I found out 
> that it can easily work.
> 
> My Apache configuration for the repository contained 
> "AuthzLDAPAuthoritative off" and "AuthLDAPRemoteUserAttribute 
> name". I'm not sure you need AuthzLDAPAuthoritative but it's 
> AuthLDAPRemoteUserAttribute that allowed me to write the 
> access file like this
> 
> [groups]
> developers = Giulio Troccoli, Harpal Panesar
> 
> [svn-test:/]
> * = r
> svnsync = r
> 
> [svn-test:/trunk]
> @developers = rw
> 
> I'm pretty sure it worked but, as I said, it was few months 
> ago so maybe I just saved this configuration for further 
> investigation rather than for immediate use.
> 
> Giulio
> 
> 
> Linedata Services (UK) Ltd
> Registered Office: Bishopsgate Court, 4-12 Norton Folgate, 
> London, E1 6DB
> Registered in England and Wales No 3027851    VAT Reg No 778499447
> 
> 
> 
> =


Mime
View raw message