Subversion + Apache + LDAP groups and permissions

Thu, 17 Mar 2011 18:11:55 -0700 

Hey guys,

I have a big problem here.

I was planning to use this configration below in my subversion + apache
server. I use a LDAP server to authenticate, and my intention was to use
LDAP groups do stabilish authorization to some project folders. As you can
see below, I wish to make the folder secret (or path) in trunk, only
readable and writable by a managers group in LDAP, and in the rest of the
project, readers could only read, and writers could read and write. The
problem is if I checkout trunk as a reader or writer user, the folder secret
is coming as well. Is there anything I could fix to make it work as I wish?
Sorry for my poor english.

<Location /svn/repo>
    DAV svn
        SVNParentPath /srv/svn/repo
        SVNListParentPath on
        SVNIndexXSLT "/svnindex.xsl"

    AuthType Basic
    AuthName "Subversion Repo"
    AuthBasicProvider ldap
    AuthLDAPUrl ldap://someldapserver/dc=myorg,dc=org

    AuthLDAPBindDN "uid=manager,ou=services,ou=corp,dc=myorg,dc=org"
    AuthLDAPBindPassword "password"
    AuthzLDAPAuthoritative on
    AuthLDAPGroupAttribute uniqueMember
    AuthLDAPGroupAttributeIsDN on

    <LimitExcept GET PROPFIND OPTIONS REPORT>
        require ldap-group cn=writers,ou=services,ou=corp,dc=myorg,dc=org
        require ldap-group cn=managers,ou=services,ou=corp,dc=myorg,dc=org
    </LimitExcept>

    <Limit GET PROPFIND OPTIONS REPORT>
        require ldap-group cn=writers,ou=services,ou=corp,dc=myorg,dc=org
        require ldap-group cn=managers,ou=services,ou=corp,dc=myorg,dc=org
        require ldap-group cn=readers,ou=services,ou=corp,dc=myorg,dc=org
    </Limit>
</Location>

<Location /svn/repo/trunk/secret>
    AuthType Basic
    AuthName "Subversion Repo"
    AuthBasicProvider ldap
    AuthLDAPUrl ldap://someldapserver/dc=myorg,dc=org

    AuthLDAPBindDN "uid=manager,ou=services,ou=corp,dc=myorg,dc=org"
    AuthLDAPBindPassword "password"
    AuthzLDAPAuthoritative on
    AuthLDAPGroupAttribute uniqueMember
    AuthLDAPGroupAttributeIsDN on

    <LimitExcept GET PROPFIND OPTIONS REPORT>
        require ldap-group cn=managers,ou=services,ou=corp,dc=myorg,dc=org
    </LimitExcept>

    <Limit GET PROPFIND OPTIONS REPORT>
        require ldap-group cn=managers,ou=services,ou=corp,dc=myorg,dc=org
    </Limit>
</Location>
____________________________________________
Rodrigo Montenegro de Oliveira

Reply via email to