From users-return-1960-daniel=haxx.se@subversion.apache.org Thu Apr 1 16:16:29 2010 Return-Path: Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by giant.haxx.se (8.14.3/8.14.3/Debian-9) with SMTP id o31EGSlf030234 for ; Thu, 1 Apr 2010 16:16:29 +0200 Received: (qmail 34977 invoked by uid 500); 1 Apr 2010 14:16:27 -0000 Mailing-List: contact users-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@subversion.apache.org Received: (qmail 34970 invoked by uid 99); 1 Apr 2010 14:16:27 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Apr 2010 14:16:27 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [213.86.135.44] (HELO ln1mx01.ldsam.com) (213.86.135.44) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Apr 2010 14:16:19 +0000 Received: from LN1EXC03.ad.linedata.com ([10.112.11.142]) by ln1exc03 ([10.112.11.142]) with mapi; Thu, 1 Apr 2010 15:15:56 +0100 From: Giulio Troccoli To: "'Lee Kaufman'" CC: "'users@subversion.apache.org'" Date: Thu, 1 Apr 2010 15:15:55 +0100 Subject: RE: LDAP Group Configuration in AuthzSVNAccessFile Thread-Topic: LDAP Group Configuration in AuthzSVNAccessFile Thread-Index: AcrRGMq/zO7SlJttSMeAnyLKyNZ2RAAVYSewAA0suBAAAJyKUA== Message-ID: <6680A70380E6BA44A2D94ED7085718EE1FE1BE0894@ln1exc03> References: <8768514005100821615@unknownmsgid> <20100331212538.GA10083@jack.stsp.name> <6680A70380E6BA44A2D94ED7085718EE1FE1BE07F4@ln1exc03> <009c01cad1a3$30d80ba0$928822e0$@kaufman@transmetric.com> In-Reply-To: <009c01cad1a3$30d80ba0$928822e0$@kaufman@transmetric.com> Accept-Language: en-US, en-GB Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org > -----Original Message----- > From: Lee Kaufman [mailto:lee.kaufman@transmetric.com]=20 > Sent: 01 April 2010 14:57 > To: Giulio Troccoli > Subject: RE: LDAP Group Configuration in AuthzSVNAccessFile >=20 > Right but how do I define that group as a LDAP group e.g. > CN=3DhasReadWrite,DN=3Dgroups,DN=3DmyDomain? >=20 This is the full config (sensitive information has been replaced by *******= *) ## ## Define the alias of LDAP authentication ## AuthLDAPURL "ldap://*******/OU=3DUsers,OU=3DLondon,OU=3DNorth Europe,OU= =3DRegional,DC=3Dad,DC=3Dlinedata,DC=3Dcom?SAMAccountName,name?sub?(objectC= lass=3D*)" AuthLDAPBindDN "CN=3DSA_Subversion,OU=3DService Accounts,OU=3DGlobal,DC= =3Dad,DC=3Dlinedata,DC=3Dcom" AuthLDAPBindPassword ******** AuthzLDAPAuthoritative off AuthLDAPRemoteUserAttribute name ## ## Define the alias for SVN Admins authentication ## AuthUserFile /usr/local/apache2/etc/svn-admin.passwd DAV svn SVNPath /data/TestRepositories/svn-test # Name of the repository AuthName "Subversion Testing Repository" # What authentication to use AuthType Basic AuthBasicProvider ldap-test svn-admins file # How to authenticate extra people AuthUserFile /usr/local/apache2/etc/svn-test.passwd # Always requier an authenticated user #Allow from all Order deny,allow Require valid-user # Access Control Policy AuthzSVNAccessFile /usr/local/apache2/etc/svn-test.access > -----Original Message----- > From: Giulio Troccoli [mailto:Giulio.Troccoli@uk.linedata.com] > Sent: Thursday, April 01, 2010 2:42 AM > To: 'Stefan Sperling'; 'Aaron Turner' > Cc: 'Lee Kaufman'; users@subversion.apache.org > Subject: RE: LDAP Group Configuration in AuthzSVNAccessFile >=20 > > > > I have been set the task of setting up SVN and connecting=20 > > > > Authentication and Authorization to our MS Active > > Directory system. > > > > The SVN is now running on a Debian Linux server. I have=20 > > > > successfully set up Authenticated to authenticate users=20 > who have=20 > > > > access to the SVN system based on a Security Group in our AD. > > > > > > > > The next task is where I am encountering the difficulty is in=20 > > > > Authorizing individual users to read and write to the=20 > individual=20 > > > > repositories. From what I have seen I need I to do this > > I need a AuthzSVNAccessFile file. > > > > However I have not been able to find any documentation=20 > on how to=20 > > > > accomplish this using AD groups. Below is a simple example. > > > > > > Last time I checked, you can't do authorization via=20 > LDAP/AD. Just=20 > > > authentication. Hence the lack of documentation on the subject. > > > > Various wrapper scripts exist which generate an authz rules=20 > file from=20 > > data pulled from LDAP/AD directories. I agree that it would=20 > be nice to=20 > > have built-in support for this in mod_authz_svn though. > > >=20 > Few months ago I was experimenting with this and I found out=20 > that it can easily work. >=20 > My Apache configuration for the repository contained=20 > "AuthzLDAPAuthoritative off" and "AuthLDAPRemoteUserAttribute=20 > name". I'm not sure you need AuthzLDAPAuthoritative but it's=20 > AuthLDAPRemoteUserAttribute that allowed me to write the=20 > access file like this >=20 > [groups] > developers =3D Giulio Troccoli, Harpal Panesar >=20 > [svn-test:/] > * =3D r > svnsync =3D r >=20 > [svn-test:/trunk] > @developers =3D rw >=20 > I'm pretty sure it worked but, as I said, it was few months=20 > ago so maybe I just saved this configuration for further=20 > investigation rather than for immediate use. >=20 > Giulio >=20 >=20 > Linedata Services (UK) Ltd > Registered Office: Bishopsgate Court, 4-12 Norton Folgate,=20 > London, E1 6DB > Registered in England and Wales No 3027851 VAT Reg No 778499447 >=20 >=20 >=20 > =