From users-return-5284-daniel=haxx.se@subversion.apache.org Mon Oct 11 01:37:52 2010 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on giant.haxx.se X-Spam-Level: X-Spam-Status: No, score=-1.5 required=3.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by giant.haxx.se (8.14.3/8.14.3/Debian-9.1) with SMTP id o9ANbp3E009681 for ; Mon, 11 Oct 2010 01:37:51 +0200 Received: (qmail 46921 invoked by uid 500); 10 Oct 2010 23:37:41 -0000 Mailing-List: contact users-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@subversion.apache.org Delivered-To: moderator for users@subversion.apache.org Received: (qmail 96093 invoked by uid 99); 9 Oct 2010 19:05:34 -0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS Received-SPF: pass (athena.apache.org: domain of jehanproc2@gmail.com designates 74.125.82.171 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=zGzPh50VNKlIrDedBbCrXuj5haFZJ8S0NwYWUt6Attk=; b=RmfMlwgk68NOZ/sZNsmUT6rpWBIrMF6fl9tdOHIRltCjRA12HRI/4gBinEygC3qdf4 r9dT1m2DK4F/YkDT08RIWfxxL+NFPMFic05HYGvmHzCZoRV4u6FaY6ZNB5wQqPfKIZ05 ezs4iHSTQ86rGYqW3Tg+qv1twcegnke00JEbo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=FmRrhgVxbjSArS5gGUFTdO+UkMB67wKYiT1uKWsqfuiOdLX8aEce767LgExoFtKZGs Hj8mXJjQGmzuL2v7fh+qK0gJooI3bzGEwqJQi66S6DdF4i07VqpdozR/orQrJcrfxK// E0wNIpruTA6pD4RuolefHPDNmbfeuCgLYEq+Y= Message-ID: <4CB0BCE6.1050702@it-sudparis.eu> Date: Sat, 09 Oct 2010 21:05:10 +0200 From: jehan procaccia Reply-To: jehan.procaccia@it-sudparis.eu User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: Nico Kadel-Garcia CC: "users@subversion.apache.org" Subject: Re: svn Farm References: <4CAC8E54.3090206@it-sudparis.eu> <4CADF2BB.5010106@it-sudparis.eu> <4CAED202.7090301@it-sudparis.eu> <4CAF3143.8050807@it-sudparis.eu> <4CB09A2F.7020203@it-sudparis.eu> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.3.5 (giant.haxx.se [80.67.6.50]); Mon, 11 Oct 2010 01:37:52 +0200 (CEST) X-Friend: Nope Le 09/10/2010 20:40, Nico Kadel-Garcia a �crit : > svn+ssh is the most secure, but it conflcts with your desire for LDAP > access. The SSH keys normally live under a single user's account, the > user who owns the repository, who hsould have a locked password. You > see why this conflicts with LDAP based user information and logins? > > No, I don't see why it conflicts ? here's again my scenario, 1) I set and manage all repositories with a unique local unix account (for example username svn !), that account issues all "svn create" and owns the repos filesystem directories 2) enable the server to resolve ldapusers (pam & nss ldap), so that the --tunnel-user=ldapusername option (see 3 below) works. 3) then add ldap users public ssh keys to the ~.ssh/authorized_keys of that unique svn manager account as in : "command="svnserve -t --tunnel-user=ldapusername"ssh_rsa KEYXXXXX... COMMENT" The sysadmin (me ) will have to find a way to push ldapusers public keys to that unique svn manager (script/CGI ...) Anything wrong in that scenario ? Thanks .