How to control access of a subversion repo subfolder via AD groups

Mon, 07 Jul 2014 04:26:33 -0700 

Hi,

I am trying to setup Subversion authentication through Active Directory
authentication and authorization through Active Directory groups.Everything
is working fine but the issue I am facing is when I want to restrict access
to subdirectorys of a subversion repository. For ex: there is a repo with a
name "ankushtest" and it has a subdirectory "test", now I want some users
which are in AD group to be able to read or commit to subdirectory "test"
only. This access is working fine through SVN clients like Tortoise etc..
but when I try to open the same on a browser, the user which has access
only to subdirectory "test" is able to see the all the directorys or files
under repo "ankushtest". How this is working is like that, if a user types
the complete url for the "test" directory like
http://svn.example.com/src/ankushtest/test"; then browser is showing the all
the files & directorys of a repo.
 In the Apache logs I see the below warning whenever I click on the url
http://svn.example.com/src/ankushtest/test"; and this test directory on the
browser shows all the files & directorys whereas this directory has only 1
file and a sub-directory in it.

Mon Jul 07 14:21:47 2014] [warn] mod_dav_svn: nested Location
'/src/ankushtest/test' hinders access to 'test1' in SVNPath Location
'/src/ankushtest'


Environment:  Centos 6.5 64-bit with Selinux & Iptables off, Subversion
1.7.17-1(downloaded from the WANDisco site) & Apache version 2.2.15-30


My subversion Configuration file is below


LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so
LDAPVerifyServerCert off
LDAPTrustedMode SSL
LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/cert1.pem
LDAPTrustedGlobalCert KEY_BASE64 /etc/pki/tls/key1.pem


<Location "/">
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative On
 AuthName "3PG SVN Repository"
 AuthLDAPURL "ldaps://
172.16.9.80:3269/DC=exampleC=corp?sAMAccountName?sub?(objectClass=user)"SSL
 AuthLDAPURL "ldaps://
172.16.9.90:3269/DC=example,DC=corp?sAMAccountName?sub?(objectClass=user)
"SSL
 AuthLDAPBindDN "auth...@example.corp"
 AuthLDAPBindPassword ldapsS@1234

</location>

<Location "/src/ankushtest">
Dav svn
SVNPATH /home/svn_repos/src/ankushtest

        <Limit GET PROPFIND OPTIONS REPORT>
        Require ldap-group CN=svn_test_ro,OU=test,DC=example,DC=corp
        Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp
        </Limit>

        # Write access
        <LimitExcept GET PROPFIND OPTIONS REPORT>
        Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp

        </LimitExcept>
</Location>


<Location "/src/ankushtest/test">

Dav svn
SVNPATH /home/svn_repos/src/ankushtest
SVNReposName "ankush-2 test repo"

        <Limit GET PROPFIND OPTIONS REPORT>
        Require ldap-group CN=svn_test_b_ro,OU=test,DC=example,DC=corp
        Require ldap-group CN=svn_test_b_rw,OU=test,DC=example,DC=corp
    Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp
        </Limit>

        # Write access
        <LimitExcept GET PROPFIND OPTIONS REPORT>
        Require ldap-group CN=svn_test_b_rw,OU=test,DC=example,DC=corp
    Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp
        </LimitExcept>
</Location>


What is the best way to configure and control subfolders access via Active
Directory groups so that things works fine in the browser too...


Thanks & Regards

Ankush Grover

Reply via email to