On 24.05.2016 09:51, Dariusz Nowak wrote: > > Hello, > > > I'm new in subversion world and tried to research something yesterday > - without success, so decided to post here. My question is related to > authentication using LDAP. > > > My scenario is that I will require 2 auth methods (passwd + ldap) all > of services (like Jenkins) will use passwd + authz and all of "humans" > will use their AD accounts. I found really useful option in config > aliasses however got small problem applying to LDAP. And my question is: > > > Can I create aliasses for LDAP groups ? I want in my LDAP AUTH file to > have something like: > > [aliases] > > mygroup = CN=PATH,DN=TO,DN=LDAP,DN=GROUP > > > [/] > > @mygroup = r > > > So I'm allowing for example every User object in my ldap tree to > access, but later limiting it like that ... this is how our current > setup works (a lot of hardcoded user/groups in auth/passwd files and > [/path/to/repo] = group1 = r, group2 = rw etc. >
Unfortunately that won't work. The LDAP authentication happens within Apache before Subversion's Authz module is invoked, and group membership information isn't transmitted to mod_authz_svnl; only user identity is. You'll have to use 'Require ldap-group' directives in your httpd.conf, then duplicate the group definitions in the Subversion authz file. You can probably automate the group definition part by writing a script that scrapes the LDAP database and writes a svn_authz group definition file. -- Brane
