subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stuempfig, Thomas" <thomas.stuemp...@siemens.com>
Subject RE: Check Path based authorization
Date Wed, 12 Dec 2018 08:25:15 GMT
Hi Brane,

sorry i cannot post the contents of VisualSVN-WinAuthz.ini file since it is company security
related.
I will take some time to setup a separate Demo LDAP, but this will take some time.

But basically my observation is

1) You have ldap group "GroupA"
2) Within that group you have users user_a and user_b (memberOf Attribute)

now
3)  you setup your  repo authz file
*****************************
[/]
user_a          rw
GroupA          rw
*****************************

(I explicity do not include something like Group_A=user_a,user_b and set @Group_A rw in authz
file as this would duplicate ldap definition
of Group membership)

svnauthz gives "rw" for user_a and "Result no" for user_b



my guess is that svnauthz does not evaluate the actual ldap info and ony cares about groups
defined in authz file whereas "svn --username .. ." does authenticate with the ldap-group.
 If I am thinking about the svnauthz commandline, svnauthz has no information about the ldap
connection which sits in apache httpd.conf.

regards
Thomas










-----Original Message-----
From: Branko Čibej [mailto:brane@apache.org]
Sent: Dienstag, 11. Dezember 2018 20:54
To: Stuempfig, Thomas (DF PL S&SE DE PSM EAI) <thomas.stuempfig@siemens.com>; users@subversion.apache.org
Subject: Re: Check Path based authorization

On 11.12.2018 18:40, Stuempfig, Thomas wrote:
> Hi Brane,
> well after testing the tool does not actually do what i would like. But it is giving
me a starting point / work around.
> I tested the tool with Visualsvn Server on windows
>
>
> Steps to reproduce
> 1) configure basic windows authentication
>
> 2) grant" rw" access to the repository root path for AD group
>         Visualsvn server places the objectSid
> S-1-1-11-111111111-111111111-11111111-11111  of the group in the
> VisualSVN-WinAuthz.ini file of the repository
>
> 3) svnauthz.exe accessof --username S-2-2-22-222222222-22222222-222222222-22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini
>   Where username is a member of the AD group objectSid
> S-1-1-11-111111111-111111111-11111111-11111
>  Result no
>
> But
> 4) svnauthz.exe accessof --username
> S-1-1-11-111111111-111111111-11111111-11111  22222
> d:\repositories\test\conf\VisualSVN-WinAuthz.ini
> Gives "rw"

I really have no idea what the WinAuthz.ini file is and what VisualSVN does with it. It's
impossible to say if your result is expected if we don't see the contents of the authz file.

But yes, 'svnauthz' will calculate access for users, not for groups. A user can be a member
of several groups and the actual rights she has can be a combination of rights granted to
the groups.

-- Brane

-----------------
Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft
mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft:
Köln; Registergericht: Amtsgericht Köln, HRB 84564
Mime
View raw message