subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jehan procaccia <>
Subject Re: svn Farm
Date Mon, 11 Oct 2010 17:46:40 GMT
  Le 10/10/2010 22:17, Nico Kadel-Garcia a écrit :
> On Sat, Oct 9, 2010 at 3:05 PM, jehan procaccia<>  wrote:
>> Le 09/10/2010 20:40, Nico Kadel-Garcia a écrit :
>>> svn+ssh is the most secure, but it conflcts with your desire for LDAP
>>> access. The SSH keys normally live under a single user's account, the
>>> user who owns the repository, who hsould have a locked password. You
>>> see why this conflicts with LDAP based user information and logins?
>> No, I don't see why it conflicts ?
>> here's again my scenario,
>> 1) I set and manage all repositories with a unique local unix account (for
>> example username svn !), that account issues all "svn create" and owns the
>> repos filesystem directories
>> 2) enable the server to resolve ldapusers (pam&  nss ldap), so that the
>> --tunnel-user=ldapusername option (see 3 below) works.
> Right, all LDAP based. So rar, so good, this can be woven into the
> HTTPS access or, conceivably, into the svnserve based access, although
> I've never seen it done.
No, I don't want to use only HTTPS, if it's served only by HTTPS then i 
must use svn + https URLs, then I come into the problem of re-entering 
ldap password at each svn command (back to the "rant" of this weekend 
;-) ...) .
I want to stick with svn+ssh just because that will allow my clients to 
use svn without re-auth at each commands.
As long as their key is in the unique svn manager authorized_key file, 
users won't have to enter a password.
I need ldap (nss+pam) on the svn server though, to enable the system to 
resolve ldapusername for the


option of command "svnserve" , so that authz do resolve username and 
hence restrict acces to users allowed to a specific repository .
>> 3) then add ldap users public ssh keys to the ~.ssh/authorized_keys of that
>> unique svn manager account  as in :
>> "command="svnserve -t --tunnel-user=ldapusername"ssh_rsa KEYXXXXX...
>> The sysadmin (me )  will have to find a way to push ldapusers public keys to
>> that unique svn manager (script/CGI ...)
> This is an entirely distinct access technology. It contains not a
> single fleck of LDAP in it it, except perhaps to publish the user
> account information for the "svn manager account".
this is svn+ssh, in the svn manager authorized_key file I will have for 
each of my ldapusernames a line:

"command="svnserve -t --tunnel-user=ldapusername"ssh_rsa KEYXXXXX...

which will issue a svn process on the server for that specific ldapuser 
(owner of the private key pair of that public key) => hence allow authZ 
acces to his repo .
>> Anything wrong in that scenario ?
> Wrong, no, just confused. Steps 1 and 2 have nothing to do with step 3
> and can be entirely discarded.
I  think you misunderstood my scenario, here step 3 is the following 
step 1 & 2 because I choosed svn+ssh !.

regards .

Ps: I'll have to test all these though .... just wanted to be reassured 
that the scenario is not foolish ?

View raw message