subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nico Kadel-Garcia <nka...@gmail.com>
Subject Re: svn Farm
Date Sun, 10 Oct 2010 20:17:22 GMT
On Sat, Oct 9, 2010 at 3:05 PM, jehan procaccia <jehanproc2@gmail.com> wrote:
> Le 09/10/2010 20:40, Nico Kadel-Garcia a écrit :
>>
>> svn+ssh is the most secure, but it conflcts with your desire for LDAP
>> access. The SSH keys normally live under a single user's account, the
>> user who owns the repository, who hsould have a locked password. You
>> see why this conflicts with LDAP based user information and logins?
>>
>>
>
> No, I don't see why it conflicts ?
> here's again my scenario,
> 1) I set and manage all repositories with a unique local unix account (for
> example username svn !), that account issues all "svn create" and owns the
> repos filesystem directories
> 2) enable the server to resolve ldapusers (pam & nss ldap), so that the
> --tunnel-user=ldapusername option (see 3 below) works.

Right, all LDAP based. So rar, so good, this can be woven into the
HTTPS access or, conceivably, into the svnserve based access, although
I've never seen it done.

> 3) then add ldap users public ssh keys to the ~.ssh/authorized_keys of that
> unique svn manager account  as in :
> "command="svnserve -t --tunnel-user=ldapusername"ssh_rsa KEYXXXXX...
> COMMENT"
> The sysadmin (me )  will have to find a way to push ldapusers public keys to
> that unique svn manager (script/CGI ...)

This is an entirely distinct access technology. It contains not a
single fleck of LDAP in it it, except perhaps to publish the user
account information for the "svn manager account".

> Anything wrong in that scenario ?

Wrong, no, just confused. Steps 1 and 2 have nothing to do with step 3
and can be entirely discarded.

Mime
View raw message