subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Logica Ex Machina <l...@pobox.com>
Subject Re: Path based authorization using LDAP groups
Date Tue, 17 Sep 2013 16:11:42 GMT
On 13-09-17 11:26 AM, Tati, Aslesh : Barclaycard US wrote:
> I’m trying to setup a path based authorization using different LDAP groups.
>
> Developers should be able to see all repositories and commit to all
> repos (the corresponding LDAP group is subversion_developers)
>
> Business users should be able to see all repositories but only commit to
> specific assigned repo (corresponding LDAP group is subversion_bususers)
>
> There is another LDAP group which is subversion_readonly which is
> intended to give read only access to all repos.
>
> My httpd.conf looks something like this:
>
> RedirectMatch ^(/svn)$ $1/
>
> <Location /repos>
>
>     DAV svn
>
>     SVNParentPath "/local/data/svn/svntestrepos"
>
>     SVNReposName "CollabNet Subversion Repository"
>
>     BrowserMatch  "^SVN/1.[456]" denyclient
>
>     order allow,deny
>
>     allow from all
>
>     deny from env=denyclient
>
>     SVNListParentPath On
>
>     Allow from all
>
>     AuthType Basic
>
>     AuthName "CollabNet Subversion Repository"
>
>     AuthBasicProvider  ldap
>
>    AuthLDAPUrl
> "ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*" "NONE"
>
>     AuthLDAPBindDN "svn_user"
>
>     AuthLDAPBindPassword "password"
>
>    <LimitExcept OPTIONS GET PROPFIND REPORT>
>
>     require ldap-group CN= subversion_readonly,OU=abc Access
> Groups,DC=abc,DC=com
>
>    </LimitExcept>
>
>     require ldap-group CN= subversion_developers,OU=abc Access
> Groups,DC=abc,DC=com
>
> </Location>
>
> <Location /repos/business>
>
>     DAV svn
>
>     SVNPath "/local/data/svn/svntestrepos/business"
>
>     SVNReposName "CollabNet Business users Subversion Repository"
>
>     BrowserMatch  "^SVN/1.[456]" denyclient
>
>     order allow,deny
>
>     allow from all
>
>     deny from env=denyclient
>
>     Allow from all
>
>     AuthType Basic
>
>     AuthName "CollabNet Business Users Subversion Repository"
>
>     AuthBasicProvider  ldap
>
>     AuthLDAPUrl
> "ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*" "NONE"
>
>     AuthLDAPBindDN "svn_user"
>
>     AuthLDAPBindPassword "password"
>
>    <LimitExcept OPTIONS GET PROPFIND REPORT>
>
>     require ldap-group CN= subversion_readonly,OU=abc Access
> Groups,DC=abc,DC=com
>
>    </LimitExcept>
>
>     require ldap-group CN= subversion_bususers,OU=abc Access
> Groups,DC=abc,DC=com
>
> </Location>
>
> I’m able to access all repos except the business repo with this setting
> and when I try to commit something I get an error saying “Redirect cycle
> detected for URL”
>
> Does this have something to do with the line RedirectMatch ^(/svn)$ $1/
> ? I’m pretty much a novice at apache configuration, so forgive my ignorance.
>
> Any help is appreciated, Thank you.
>
>
> Barclaycard
>
> www.barclaycardus.com <http://www.barclaycardus.com>
>
> This email and any files transmitted with it may contain confidential
> and/or proprietary information. It is intended solely for the use of the
> individual or entity who is the intended recipient. Unauthorized use of
> this information is prohibited. If you have received this in error,
> please contact the sender by replying to this message and delete this
> material from any system it may be on.
>

RedirectMatch tells the requesting tool to try again at the new address, 
which means it returns a response code and tells the client to try again 
at the new address.

In your case, ^(/svn)$ $1/ says "Match ONLY /svn" and then "Redirect to 
"/svn/", which probably is getting sent back into the RedirectMatch. 
Http:/httpd.apache.org/docs/2.2/mod_alias.html has the relevant 
information.  If you want to redirect any URLS that look like 
"www.example.com/svn/business" to "www.example.com/respos/business", you 
would need something like the following:

RedirectMatch ^/svn/(*.) /repos/$1


Is there a reason you are doing URL redirection, though?  You can 
probably just set the Location directives to be /svn and /svn/business 
directly and not deal with redirects or rewrites at all.  If you really 
are looking at doing URL modifications, you might be better served with 
mod_rewrite.

Robert

Mime
View raw message