Hi Brane, Thank you for reply. I am providing some inputs about my experiement as of now. I am using ‘httpd-2.2.15-54.el6.centos.x86_64’ httpd. I have attached ldif file and ‘/etc/httpd/conf.d/subversion.conf’ files for your reference. I have also attached ‘sssd.conf’ (to interact with LDAP).
Still I have not been able to grant read access to gidNumber: 500 and
read/write access to gidNumber: 491 from ldap.
Do you see any obvious issue in attached files? Your advice will be a great
help!
Regards,
Kedar.
From: Branko Čibej <br...@apache.org>
Organization: The Apache Software Foundation
Date: Monday, August 7, 2017 at 12:36 AM
To: "users@subversion.apache.org" <users@subversion.apache.org>
Cc: "Kedar Sirshikar (ksirshik)" <ksirs...@cisco.com>
Subject: Re: Can i read/write(based on LDAP group) to SVN without using
AuthzSVNAccessFile directive
On 04.08.2017 18:39, Kedar Sirshikar (ksirshik) wrote:
Hi team,
I need some help on integration of SVN, Apache and LDAP.
Currently we are using ‘/var/www/svn/users-access-file’ to store SVN admin
users.
Problem with this approach is if new admin users are added in LDAP then we have
to change above file as well (for adding new users).
Also, storing user names in ‘/var/www/svn/users-access-file’ is always
discouraged as it may violate security.
So, is there any way I can avoid using ‘/var/www/svn/users-access-file’ and
achieve read/write access to SVN based on groups of LDAP users?
I am also investing but as I am new to this area so your help may improve my
investigation.
Yes, this is easily done; here's an example of the access part of the httpd
config file (for httpd 2.4.x):
<RequireAll>
Require valid-user
<Limit HEAD GET OPTIONS PROPFIND REPORT>
<RequireAny>
# Read access
Require ldap-group cn=svn.admin,ou=group,dc=example,dc=com
Require ldap-group
cn=svn.readonly,ou=group,dc=example,dc=com
</RequireAny>
</Limit>
<LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
<RequireAny>
# Write access
Require ldap-group cn=svn.admin,ou=group,dc=example,dc=com
</RequireAny>
</LimitExcept>
</RequireAll>
-- Brane
LDIF details:
version: 1
dn: ou=users,dc=sprint,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
dn: uid=sssd_qns,ou=users,dc=sprint,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
cn: cn_sssd_qns
gidNumber: 500
homeDirectory: /home/qns
sn: sn__sssd_qns
uid: sssd_qns
uidNumber: 500
dn: uid=sssd_pb_2,ou=users,dc=sprint,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
cn: cn_sssd_pb_2
gidNumber: 491
homeDirectory: /home/qns-svn
sn: sn_sssd_pb_2
uid: sssd_pb_2
uidNumber: 491
sssd.conf
Description: sssd.conf
subversion.conf
Description: subversion.conf
