subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Feldhacker, Chris" <Feldhacker.Ch...@principal.com>
Subject RE: LDAP Group Configuration in AuthzSVNAccessFile
Date Thu, 01 Apr 2010 15:20:38 GMT
If you're willing to give up fine-grained, path-based authorization then you can use LDAP groups
to secure access to entire repositories at the top-level.  Just define a "Location" for each
respository and use Apache's LDAP integration capabilities to secure each location with one
or more LDAP groups.
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

Works fine for us!

The example below gives all authenticated users access to the "Publications" repository, but
only members of the AD group "SOMEAdingGroup" have read-write access.

<Location />
  AuthName "Subversion Server"
  AuthType Basic
  AuthBasicAuthoritative On
  AuthBasicProvider ldap

  # If ldap checks are to be used with non-ldap checks (like "valid-user"), set this to off
  AuthzLDAPAuthoritative off
  AuthLDAPURL ldaps://ad.company.com:3269/DC=ad,DC=company,DC=com?sAMAccountName?sub?(objectCategory=user)
  AuthLDAPBindDN CN=SOMEADMIN,OU=Users,DC=ad,DC=company,DC=com
  AuthLDAPBindPassword secret
</Location>

<Location /svn/Publications>
  DAV svn
  SVNPath \Repositories\Publications
  SVNPathAuthz off

  # The following users/groups will have read-write permission
  Require ldap-group CN=SOMEAdminGroup,OU=Groups,DC=ad,DC=company,DC=com

  <Limit GET PROPFIND OPTIONS REPORT>
    # For any read-only operation, allow these additional users/groups
    Require valid-user
  </Limit>
</Location>
  

-----Original Message-----
From: Giulio Troccoli [mailto:Giulio.Troccoli@uk.linedata.com] 
Sent: Thursday, April 01, 2010 10:02 AM
To: 'Lee Kaufman'
Cc: users@subversion.apache.org
Subject: RE: LDAP Group Configuration in AuthzSVNAccessFile

> Thank you for your help but I think you may have misunderstood my 
> question.
> In your previous email where you showed the content of your 
> AuthzSVNAccessFile file as.  What I am looking for is to be able to is 
> where you say
>
> [groups]
> developers = Giulio Troccoli, Harpal Panesar
>
> I want to be able to say
> developers = CN=*****,OU=Security Groups,... A group I have defined in 
> LDAP.
>
> The groups and user permissions are already defined for other 
> applications and services and I do not want to have to manage them in 
> LDAP and SVN.  Know of any way of doing that?
>

Yes, sorry, I misunderstood you. I thought you meant "group" as in "a group in the access
file", like the developers group I have.

No, I don't think it's possible. The only way I can think of is the script that Stefan already
suggested.

Giulio


Linedata Services (UK) Ltd
Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
Registered in England and Wales No 3027851    VAT Reg No 778499447






-----Message Disclaimer-----

This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect@principal.com and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.

Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.

While this communication may be used to promote or market a transaction
or an idea that is discussed in the publication, it is intended to provide
general information about the subject matter covered and is provided with
the understanding that The Principal is not rendering legal, accounting,
or tax advice. It is not a marketed opinion and may not be used to avoid
penalties under the Internal Revenue Code. You should consult with
appropriate counsel or other advisors on all matters pertaining to legal,
tax, or accounting obligations and requirements.


Mime
View raw message