Thanks Ben & Eric. I have now configured subversion through mod_authz file through the script available at http://thoughtspark.org/2009/01/20/using-ldap-groups-with-subversion-s-authz-file/. Thank a lot for sharing the link and it is working as per the expectation.
Thanks once a again. On Thu, Jul 10, 2014 at 3:03 AM, Eric Johnson <e...@tibco.com> wrote: > I'll add that where we've deployed Subversion access controls, we use > mod_authz_svn, and generate its contents from other sources. Not that hard > to scan AD, and generate group information that can be stuffed into the > access file. > > Eric > > > On Wed, Jul 9, 2014 at 12:56 PM, Ben Reser <b...@reser.org> wrote: > >> On 7/7/14 3:56 AM, Ankush Grover wrote: >> > I am trying to setup Subversion authentication through Active Directory >> > authentication and authorization through Active Directory >> groups.Everything is >> > working fine but the issue I am facing is when I want to restrict >> access to >> > subdirectorys of a subversion repository. For ex: there is a repo with >> a name >> > "ankushtest" and it has a subdirectory "test", now I want some users >> which are >> > in AD group to be able to read or commit to subdirectory "test" only. >> This >> > access is working fine through SVN clients like Tortoise etc.. but when >> I try >> > to open the same on a browser, the user which has access only to >> subdirectory >> > "test" is able to see the all the directorys or files under repo >> "ankushtest". >> > How this is working is like that, if a user types the complete url for >> the >> > "test" directory like http://svn.example.com/src/ankushtest/test"; then >> browser >> > is showing the all the files & directorys of a repo. >> > In the Apache logs I see the below warning whenever I click on the url >> > http://svn.example.com/src/ankushtest/test"; and this test directory on >> the >> > browser shows all the files & directorys whereas this directory has >> only 1 file >> > and a sub-directory in it. >> > >> > Mon Jul 07 14:21:47 2014] [warn] mod_dav_svn: nested Location >> > '/src/ankushtest/test' hinders access to 'test1' in SVNPath Location >> > '/src/ankushtest' >> >> You should only have a single Location block for your repository. That >> warning >> message is telling you as much. When you use multiple Location blocks >> like >> this then the "/src/ankushtest" and the "/src/ankushtest/test" both are >> Locations that point at the root of the repository. >> >> The reason you're seeing this work with a Subversion client is because the >> Subversion client often accesses things under the root of the repository >> with >> opaque URLs which still go through the "/src/ankushtest" Location block >> rather >> than the "/src/ankushtest/test" Location. >> >> If you want to do path based access control within the repository you >> must use >> mod_authz_svn to do this. It knows how to handle the opaque URLs and >> properly >> provide access control. Beyond opaque URLs there are also requests that >> provide details for child paths other than just the path the request uses >> in >> the HTTP request-line, which is all that would be matched by Location. >> >> Setting up mod_authz_svn is generally described in the SVN Book here: >> >> http://svnbook.red-bean.com/en/1.7/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir >> >> Unfortunately, using mod_authz_svn is complicated by your desire to use AD >> groups. The group membership that Apache httpd uses is not available to >> mod_authz_svn, this is just a limitation of the way Apache httpd >> authentication >> and authorization works. >> >> So in order to do what you want you need to provide the group membership >> information to mod_authz_svn separately. This is done by adding the >> [groups] >> section to the AccessFile. Obviously maintaining this by hand is tedious >> so >> people usually automate this. >> >> It's popular to use this tool to do that automation: >> >> http://thoughtspark.org/2009/01/20/using-ldap-groups-with-subversion-s-authz-file/ >> >> Though there are also commercial products that can do this and much more >> such >> as WANDisco's Access Control product: >> http://wandisco.com/subversion/accesscontrol >> >> I suspect there are other commercial products that can manage this for >> you as >> well though I'm not as familiar with their features (full disclosure I >> work for >> WANdisco). >> >> If you don't go the route of a commercial product to manage this I'd >> suggest >> that you do the following things beyond just using mod_authz_svn. >> >> * Include the "SVNPathAuthz short_circuit" directive in your Location >> blocks >> for SVN. This avoids running authentication/authorization processing as >> sub-requests for paths that aren't in the request-line but that must be >> accessed to service the request. The default uses much more expensive >> sub-requests, which while secure for any configuration are much more >> expensive. >> Almost not configurations actually need the default setting. >> >> * You mention that you're using Subversion 1.7, but Subversion 1.8 adds >> the >> AuthzSVNGroupsFile directive that permits this group data to be in a >> separate >> file from your access configuration. This should make it easier to >> configure. >> > >
