subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Branko Čibej <br...@apache.org>
Subject Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive
Date Sat, 02 Sep 2017 12:07:03 GMT
On 02.09.2017 03:50, Kedar Sirshikar (ksirshik) wrote:
>
> Hi Brane,
>
> I tried to follow your suggestions. Please refer attached latest
> version of ‘subversion.conf’
>
> 1.       I updated my subversion.conf to include
> ‘AuthLDAPGroupAttribute’ attribute. Its value is set to cn as cn
> attribute has the group name (to which user is assigned)
>

AuthLDAPGroupAttribute is the name of the group's member list attribute,
not the user's primary group attribute.

> Is there any way I can check for logs? If I get some relevant logs, I
> myself can dig down more.
>

You should have Apache server logs available. If they're not detailed
enough, you can increase the log verbosity.

> I came across below 2 urls which claim that it is not possible to get
> rid of AuthzSVNAccessFile directive and you must use a file to
> configure groups and users.
>
> http://grokbase.com/t/subversion/users/1477dcf8yc/how-to-control-access-of-a-subversion-repo-subfolder-via-ad-groups/oldest#responses_tab_top
>
> https://github.com/whitlockjc/sync-ldap-groups-to-svn-authz
>
>  
>
> Now, I am little confused about whether it is really possible (or not)
> to fully avoid configuring groups and user names in a separate file.
>

That depends on what you want to do. If you only want to control
read-only vs. read-write access to the whole repository, you can do that
in the Apache config, as I showed you. If you want more fine-grained
access control, that's what the Subversion authz file is for. If you
want to do that per-user, then you will have to define users (and/or
groups) in that file. And yes, there are tools out there for
automatically generating user and group lists for the Subversion authz
file from LDAP.

-- Brane

Mime
View raw message