subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Johan Corveleyn <jcor...@gmail.com>
Subject Re: Check Path based authorization
Date Wed, 12 Dec 2018 10:21:36 GMT
On Wed, Dec 12, 2018 at 9:28 AM Stuempfig, Thomas
<thomas.stuempfig@siemens.com> wrote:
>
> Hi Brane,
>
> sorry i cannot post the contents of VisualSVN-WinAuthz.ini file since it is company security
related.
> I will take some time to setup a separate Demo LDAP, but this will take some time.
>
> But basically my observation is
>
> 1) You have ldap group "GroupA"
> 2) Within that group you have users user_a and user_b (memberOf Attribute)
>
> now
> 3)  you setup your  repo authz file
> *****************************
> [/]
> user_a          rw
> GroupA          rw
> *****************************
>
> (I explicity do not include something like Group_A=user_a,user_b and set @Group_A rw
in authz file as this would duplicate ldap definition
> of Group membership)
>
> svnauthz gives "rw" for user_a and "Result no" for user_b
>
>
>
> my guess is that svnauthz does not evaluate the actual ldap info and ony cares about
groups defined in authz file whereas "svn --username .. ." does authenticate with the ldap-group.
 If I am thinking about the svnauthz commandline, svnauthz has no information about the ldap
connection which sits in apache httpd.conf.
>

Okay, it seems there is some misunderstanding here. First of all,
"core" svn does not by itself have support for LDAP groups for
authorization. Indeed, it only looks at groups that are defined in the
authz file itself.

The VisualSVN-WinAuthz.ini file is an extra feature developed by
VisualSVN, on top of "core" svn. So indeed, the svnauthz commandline
tool does not know about those groups.

To get some help on using / validating the VisualSVN-WinAuthz.ini
file, you'll have to reach out to VisualSVN people (some of them are
reading this list too, so they might be able to comment further here).

-- 
Johan

Mime
View raw message