subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kedar Sirshikar (ksirshik)" <ksirs...@cisco.com>
Subject Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive
Date Sun, 03 Sep 2017 19:36:04 GMT
Thank you, Brane, for your reply.

I updated subversion.conf to include group’s attribute memberUid

    AuthLDAPURL ldaps://ldap_l.cisco.com:10648/dc=sprint,dc=com?hasSubordinates,objectClass?sub?uid



    AuthLDAPBindDN uid=admin,ou=system

    AuthLDAPBindPassword secret



    AuthzLDAPAuthoritative on

    AuthLDAPGroupAttributeIsDN off

    #AuthLDAPGroupAttribute cn

    AuthLDAPGroupAttribute memberUid

        #<RequireAll>

            Require valid-user

            <Limit HEAD GET OPTIONS PROPFIND REPORT>

                #<RequireAny>

                    # Read access

                    Require ldap-group cn=User,ou=groups,dc=sprint,dc=com

                #</RequireAny>

            </Limit>

            <LimitExcept HEAD GET OPTIONS PROPFIND REPORT>

                #<RequireAny>

                    # Write access

                    Require ldap-group cn=Roles,ou=groups,dc=sprint,dc=com

                    Require ldap-attribute gidNumber=491

                    #Require ldap-group cn=Admin,ou=groups,dc=sprint,dc=com

                #</RequireAny>

            </LimitExcept>

        #</RequireAll>

I have also updated screen shots for sssd_pb and Roles group. I feel there is something wrong
in this ldif because of which it is still not working.

Output of ldapsearch is

KSIRSHIK-M-33TW:~ ksirshik$ ldapsearch -H ldaps://ldap_l.cisco.com:10648 -x -D "uid=admin,ou=system"
-W -b "dc=sprint,dc=com" -s sub -a always -z 1000 "uid=sssd_pb"

Enter LDAP Password:

# extended LDIF

#

# LDAPv3

# base <dc=sprint,dc=com> with scope subtree

# filter: uid=sssd_pb

# requesting: ALL

#



# sssd_pb, Admin, groups, sprint.com

dn: uid=sssd_pb,cn=Admin,ou=groups,dc=sprint,dc=com

sn: sn_sssd_pb

cn: cn_sssd_pb

objectClass: posixAccount

objectClass: top

objectClass: inetOrgPerson

objectClass: person

objectClass: organizationalPerson

homeDirectory: /home/qns-svn

gidNumber: 491

uidNumber: 491

userPassword:: e1NTSEF9dGFPUmpYdTZ4TUxUemdmTjJVVlE3TkJiRVQwYkVqZWxTQ2V2T3c9PQ=

 =

uid: sssd_pb



# sssd_pb, users, sprint.com

dn: uid=sssd_pb,ou=users,dc=sprint,dc=com

sn: sn_sssd_pb

cn: cn=Admin,ou=groups,dc=sprint,dc=com

objectClass: posixAccount

objectClass: top

objectClass: inetOrgPerson

objectClass: person

objectClass: organizationalPerson

homeDirectory: /home/qns-svn

gidNumber: 491

uidNumber: 491

userPassword:: e1NTSEF9Qi94UDJVK3dtbWFDQW5hRVR5ZW1uL2RnenFudnBMdlNoaUxkOFE9PQ=

 =

uid: sssd_pb



# search result

search: 2

result: 0 Success



# numResponses: 3

# numEntries: 2

KSIRSHIK-M-33TW:~ ksirshik$



Regards,
Kedar.

From: Branko Čibej <brane@apache.org>
Organization: The Apache Software Foundation
Date: Saturday, September 2, 2017 at 5:07 AM
To: "Kedar Sirshikar (ksirshik)" <ksirshik@cisco.com>, "users@subversion.apache.org"
<users@subversion.apache.org>
Subject: Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile
directive

On 02.09.2017 03:50, Kedar Sirshikar (ksirshik) wrote:
Hi Brane,
I tried to follow your suggestions. Please refer attached latest version of ‘subversion.conf’

1.      I updated my subversion.conf to include ‘AuthLDAPGroupAttribute’ attribute. Its
value is set to cn as cn attribute has the group name (to which user is assigned)

AuthLDAPGroupAttribute is the name of the group's member list attribute, not the user's primary
group attribute.


Is there any way I can check for logs? If I get some relevant logs, I myself can dig down
more.

You should have Apache server logs available. If they're not detailed enough, you can increase
the log verbosity.


I came across below 2 urls which claim that it is not possible to get rid of AuthzSVNAccessFile
directive and you must use a file to configure groups and users.
http://grokbase.com/t/subversion/users/1477dcf8yc/how-to-control-access-of-a-subversion-repo-subfolder-via-ad-groups/oldest#responses_tab_top
https://github.com/whitlockjc/sync-ldap-groups-to-svn-authz

Now, I am little confused about whether it is really possible (or not) to fully avoid configuring
groups and user names in a separate file.

That depends on what you want to do. If you only want to control read-only vs. read-write
access to the whole repository, you can do that in the Apache config, as I showed you. If
you want more fine-grained access control, that's what the Subversion authz file is for. If
you want to do that per-user, then you will have to define users (and/or groups) in that file.
And yes, there are tools out there for automatically generating user and group lists for the
Subversion authz file from LDAP.

-- Brane

Mime
View raw message