> -----Original Message----- > From: Lee Kaufman [mailto:lee.kauf...@transmetric.com] > Sent: 01 April 2010 14:57 > To: Giulio Troccoli > Subject: RE: LDAP Group Configuration in AuthzSVNAccessFile > > Right but how do I define that group as a LDAP group e.g. > CN=hasReadWrite,DN=groups,DN=myDomain? > This is the full config (sensitive information has been replaced by ********)
## ## Define the alias of LDAP authentication ## <AuthnProviderAlias ldap ldap-test> AuthLDAPURL "ldap://*******/OU=Users,OU=London,OU=North Europe,OU=Regional,DC=ad,DC=linedata,DC=com?SAMAccountName,name?sub?(objectClass=*)" AuthLDAPBindDN "CN=SA_Subversion,OU=Service Accounts,OU=Global,DC=ad,DC=linedata,DC=com" AuthLDAPBindPassword ******** AuthzLDAPAuthoritative off AuthLDAPRemoteUserAttribute name </AuthnProviderAlias> ## ## Define the alias for SVN Admins authentication ## <AuthnProviderAlias file svn-admins> AuthUserFile /usr/local/apache2/etc/svn-admin.passwd </AuthnProviderAlias> <Location /svn-test> DAV svn SVNPath /data/TestRepositories/svn-test # Name of the repository AuthName "Subversion Testing Repository" # What authentication to use AuthType Basic AuthBasicProvider ldap-test svn-admins file # How to authenticate extra people AuthUserFile /usr/local/apache2/etc/svn-test.passwd # Always requier an authenticated user #Allow from all Order deny,allow Require valid-user # Access Control Policy AuthzSVNAccessFile /usr/local/apache2/etc/svn-test.access </Location> > -----Original Message----- > From: Giulio Troccoli [mailto:giulio.trocc...@uk.linedata.com] > Sent: Thursday, April 01, 2010 2:42 AM > To: 'Stefan Sperling'; 'Aaron Turner' > Cc: 'Lee Kaufman'; users@subversion.apache.org > Subject: RE: LDAP Group Configuration in AuthzSVNAccessFile > > > > > I have been set the task of setting up SVN and connecting > > > > Authentication and Authorization to our MS Active > > Directory system. > > > > The SVN is now running on a Debian Linux server. I have > > > > successfully set up Authenticated to authenticate users > who have > > > > access to the SVN system based on a Security Group in our AD. > > > > > > > > The next task is where I am encountering the difficulty is in > > > > Authorizing individual users to read and write to the > individual > > > > repositories. From what I have seen I need I to do this > > I need a AuthzSVNAccessFile file. > > > > However I have not been able to find any documentation > on how to > > > > accomplish this using AD groups. Below is a simple example. > > > > > > Last time I checked, you can't do authorization via > LDAP/AD. Just > > > authentication. Hence the lack of documentation on the subject. > > > > Various wrapper scripts exist which generate an authz rules > file from > > data pulled from LDAP/AD directories. I agree that it would > be nice to > > have built-in support for this in mod_authz_svn though. > > > > Few months ago I was experimenting with this and I found out > that it can easily work. > > My Apache configuration for the repository contained > "AuthzLDAPAuthoritative off" and "AuthLDAPRemoteUserAttribute > name". I'm not sure you need AuthzLDAPAuthoritative but it's > AuthLDAPRemoteUserAttribute that allowed me to write the > access file like this > > [groups] > developers = Giulio Troccoli, Harpal Panesar > > [svn-test:/] > * = r > svnsync = r > > [svn-test:/trunk] > @developers = rw > > I'm pretty sure it worked but, as I said, it was few months > ago so maybe I just saved this configuration for further > investigation rather than for immediate use. > > Giulio > > > Linedata Services (UK) Ltd > Registered Office: Bishopsgate Court, 4-12 Norton Folgate, > London, E1 6DB > Registered in England and Wales No 3027851 VAT Reg No 778499447 > > > >
