On Sat, Oct 9, 2010 at 3:05 PM, jehan procaccia <jehanpr...@gmail.com> wrote: > Le 09/10/2010 20:40, Nico Kadel-Garcia a écrit : >> >> svn+ssh is the most secure, but it conflcts with your desire for LDAP >> access. The SSH keys normally live under a single user's account, the >> user who owns the repository, who hsould have a locked password. You >> see why this conflicts with LDAP based user information and logins? >> >> > > No, I don't see why it conflicts ? > here's again my scenario, > 1) I set and manage all repositories with a unique local unix account (for > example username svn !), that account issues all "svn create" and owns the > repos filesystem directories > 2) enable the server to resolve ldapusers (pam & nss ldap), so that the > --tunnel-user=ldapusername option (see 3 below) works.
Right, all LDAP based. So rar, so good, this can be woven into the HTTPS access or, conceivably, into the svnserve based access, although I've never seen it done. > 3) then add ldap users public ssh keys to the ~.ssh/authorized_keys of that > unique svn manager account as in : > "command="svnserve -t --tunnel-user=ldapusername"ssh_rsa KEYXXXXX... > COMMENT" > The sysadmin (me ) will have to find a way to push ldapusers public keys to > that unique svn manager (script/CGI ...) This is an entirely distinct access technology. It contains not a single fleck of LDAP in it it, except perhaps to publish the user account information for the "svn manager account". > Anything wrong in that scenario ? Wrong, no, just confused. Steps 1 and 2 have nothing to do with step 3 and can be entirely discarded.
