Return-Path: <users-return-24695-archive-asf-public=cust-asf.ponee.io@subversion.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 75285200AC0
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue, 24 May 2016 10:21:34 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 73D12160A2D; Tue, 24 May 2016 08:21:34 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id BE0E1160A11
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 24 May 2016 10:21:33 +0200 (CEST)
Received: (qmail 93669 invoked by uid 500); 24 May 2016 08:21:32 -0000
Mailing-List: contact users-help@subversion.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@subversion.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@subversion.apache.org>
List-Post: <mailto:users@subversion.apache.org>
List-Id: <users.subversion.apache.org>
Delivered-To: mailing list users@subversion.apache.org
Received: (qmail 93656 invoked by uid 99); 24 May 2016 08:21:32 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 May 2016 08:21:32 +0000
Received: from zulu.local (unknown [77.234.149.122])
	by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 417571A0015
	for <users@subversion.apache.org>; Tue, 24 May 2016 08:21:31 +0000 (UTC)
Subject: Re: LDAP Usage Question
To: users@subversion.apache.org
References: <KL1PR04MB0981B81296CEF14D3C495515824F0@KL1PR04MB0981.apcprd04.prod.outlook.com>
From: =?UTF-8?Q?Branko_=c4=8cibej?= <brane@apache.org>
Organization: The Apache Software Foundation
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAAXNSR0IArs4c6QAAADBQTFRF
 IhsbCy0qZjoVOVRoeFxSAIKBzXQiAKaibYiewnk7nn9z0qCTgL3i87Ep6Kx/+tHBsrE+zgAAAjZJ
 REFUOMvF0jFoE1EYB/CzjWlqIzaTjqVIBifRRWyG0t5iUqlLyFpCeXBgKg5yq6A4degUDJjoUDpc
 1Qt4Ux94B11SOLB0KGS4discpbkORTCn9/m9d3fvLhXnvuHu3f+Xx/veyyfZfLSdZHzgicSfeyw4
 JISwdz8FT6M8lM8Ceg385Dlhs+cC9sQCDn0B78QCogzwN+sxfHGOIXBbRGkNAM4cZymGtgNsDPgz
 cByxon3EEm1TLmvAlghoHOO3CZSa+IQ/vF6JV8tgKOMow78gRgL2/+EIvATOUtB3SSdMg4GXgrbn
 uk0uLiGdoCHKbX4E+t1FUTqn1AtIdPJebssDQ64YANSQyyaQNyUOFs0ijMsMFnOPTahPLXKYowtY
 08MfCP7vR7hRnc5zmPK7CDYYbHcbC7tHuyFA94U/1LYZaJpu/sxACHMwvwZljTLY0TbNk4x+zuEt
 yC3MfCM6uSIvfwur0itFL4FA2Yal8BzLfnYV4EIGwEPAk7o5zIcnvzHMEjwJrrhAKK7on6IrsfRJ
 7A53BhaK+CL7fj6+q/sPeOvcDTtoZTxpUYsFeIknrOXep3p3l7Ua+8sZ5FPQKyKwWi+DfROTU7ny
 C1/9UhpeY7K287WJCzbsNPQm2S6Yk4PSCNhWM2r3nD0K9liYb6yPgCRJhSzPrxUK0yUBVk1VX0lj
 s7MzGZyp0wImMK/e8rHbz2soL+O+2r1dxfGsAmBcx0lNjS/RUhlUC7gRn1wGMdQ7Vw1/AReW/RN3
 xFWdAAAAAElFTkSuQmCC
Message-ID: <0b098a22-6925-81a4-51c4-70906c63d6bd@apache.org>
Date: Tue, 24 May 2016 10:21:29 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.1.0
MIME-Version: 1.0
In-Reply-To: <KL1PR04MB0981B81296CEF14D3C495515824F0@KL1PR04MB0981.apcprd04.prod.outlook.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
archived-at: Tue, 24 May 2016 08:21:34 -0000

On 24.05.2016 09:51, Dariusz Nowak wrote:
>
> Hello,
>
>
> I'm new in subversion world and tried to research something yesterday
> - without success, so decided to post here. My question is related to
> authentication using LDAP.
>
>
> My scenario is that I will require 2 auth methods (passwd + ldap) all
> of services (like Jenkins) will use passwd + authz and all of "humans"
> will use their AD accounts.  I found really useful option in config
> aliasses however got small problem applying to LDAP. And my question is:
>
>
> Can I create aliasses for LDAP groups ? I want in my LDAP AUTH file to
> have something like:
>
> [aliases]
>
> mygroup = CN=PATH,DN=TO,DN=LDAP,DN=GROUP
>
>
> [/]
>
> @mygroup = r
>
>
> So I'm allowing for example every User object in my ldap tree to
> access, but later limiting it like that ... this is how our current
> setup works (a lot of hardcoded user/groups in auth/passwd files and
> [/path/to/repo] = group1 = r, group2 = rw etc.
>


Unfortunately that won't work. The LDAP authentication happens within
Apache before Subversion's Authz module is invoked, and group membership
information isn't transmitted to mod_authz_svnl; only user identity is.
You'll have to use 'Require ldap-group' directives in your httpd.conf,
then duplicate the group definitions in the Subversion authz file.

You can probably automate the group definition part by writing a script
that scrapes the LDAP database and writes a svn_authz group definition file.

-- Brane