On 02.09.2017 03:50, Kedar Sirshikar (ksirshik) wrote: > > Hi Brane, > > I tried to follow your suggestions. Please refer attached latest > version of ‘subversion.conf’ > > 1. I updated my subversion.conf to include > ‘AuthLDAPGroupAttribute’ attribute. Its value is set to cn as cn > attribute has the group name (to which user is assigned) >
AuthLDAPGroupAttribute is the name of the group's member list attribute, not the user's primary group attribute. > Is there any way I can check for logs? If I get some relevant logs, I > myself can dig down more. > You should have Apache server logs available. If they're not detailed enough, you can increase the log verbosity. > I came across below 2 urls which claim that it is not possible to get > rid of AuthzSVNAccessFile directive and you must use a file to > configure groups and users. > > http://grokbase.com/t/subversion/users/1477dcf8yc/how-to-control-access-of-a-subversion-repo-subfolder-via-ad-groups/oldest#responses_tab_top > > https://github.com/whitlockjc/sync-ldap-groups-to-svn-authz > > > > Now, I am little confused about whether it is really possible (or not) > to fully avoid configuring groups and user names in a separate file. > That depends on what you want to do. If you only want to control read-only vs. read-write access to the whole repository, you can do that in the Apache config, as I showed you. If you want more fine-grained access control, that's what the Subversion authz file is for. If you want to do that per-user, then you will have to define users (and/or groups) in that file. And yes, there are tools out there for automatically generating user and group lists for the Subversion authz file from LDAP. -- Brane
