Hi,

I am trying to setup Subversion authentication through Active Directory authentication and authorization through Active Directory groups.Everything is working fine but the issue I am facing is when I want to restrict access to subdirectorys of a subversion repository. For ex: there is a repo with a name "ankushtest" and it has a subdirectory "test", now I want some users which are in AD group to be able to read or commit to subdirectory "test" only. This access is working fine through SVN clients like Tortoise etc.. but when I try to open the same on a browser, the user which has access only to subdirectory "test" is able to see the all the directorys or files under repo "ankushtest". How this is working is like that, if a user types the complete url for the "test" directory like http://svn.example.com/src/ankushtest/test" then browser is showing the all the files & directorys of a repo.
 In the Apache logs I see the below warning whenever I click on the url http://svn.example.com/src/ankushtest/test" and this test directory on the browser shows all the files & directorys whereas this directory has only 1 file and a sub-directory in it.

Mon Jul 07 14:21:47 2014] [warn] mod_dav_svn: nested Location '/src/ankushtest/test' hinders access to 'test1' in SVNPath Location '/src/ankushtest'


Environment:  Centos 6.5 64-bit with Selinux & Iptables off, Subversion 1.7.17-1(downloaded from the WANDisco site) & Apache version 2.2.15-30


My subversion Configuration file is below


LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so
LDAPVerifyServerCert off
LDAPTrustedMode SSL
LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/cert1.pem
LDAPTrustedGlobalCert KEY_BASE64 /etc/pki/tls/key1.pem


<Location "/">
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative On
 AuthName "3PG SVN Repository"
 AuthLDAPURL "ldaps://172.16.9.80:3269/DC=exampleC=corp?sAMAccountName?sub?(objectClass=user)"SSL
 AuthLDAPURL "ldaps://172.16.9.90:3269/DC=example,DC=corp?sAMAccountName?sub?(objectClass=user)"SSL
 AuthLDAPBindDN "authsvn@example.corp"
 AuthLDAPBindPassword ldapsS@1234

</location>

<Location "/src/ankushtest">
Dav svn
SVNPATH /home/svn_repos/src/ankushtest

        <Limit GET PROPFIND OPTIONS REPORT>
        Require ldap-group CN=svn_test_ro,OU=test,DC=example,DC=corp
        Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp
        </Limit>

        # Write access
        <LimitExcept GET PROPFIND OPTIONS REPORT>
        Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp

        </LimitExcept>
</Location>


<Location "/src/ankushtest/test">

Dav svn
SVNPATH /home/svn_repos/src/ankushtest
SVNReposName "ankush-2 test repo"

        <Limit GET PROPFIND OPTIONS REPORT>
        Require ldap-group CN=svn_test_b_ro,OU=test,DC=example,DC=corp
        Require ldap-group CN=svn_test_b_rw,OU=test,DC=example,DC=corp
    Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp
        </Limit>

        # Write access
        <LimitExcept GET PROPFIND OPTIONS REPORT>
        Require ldap-group CN=svn_test_b_rw,OU=test,DC=example,DC=corp
    Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp
        </LimitExcept>
</Location>


What is the best way to configure and control subfolders access via Active Directory groups so that things works fine in the browser too...


Thanks & Regards

Ankush Grover