subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Branko ─îibej <br...@apache.org>
Subject Re: Apache httpd 2.4 + Subversion 1.9.5 + LDAP combination does not work on CentOS 7.x
Date Tue, 18 Jul 2017 10:33:32 GMT
On 18.07.2017 10:20, Ravi Roy wrote:
>
>
> On Mon, Jul 17, 2017 at 8:03 PM, Ravi Roy <ravi.aroy@gmail.com
> <mailto:ravi.aroy@gmail.com>> wrote:
>
>
>         You should remove these lines:
>
>             Satisfy any
>             Order allow,deny
>             Allow from all
>             AuthUserFile /dev/null
>
>
>         then add
>
>             Satisfy all
>
>
>         I also suggest you add the HEAD method to the LimitExcept
>         directive.
>
>
>
> As this does not work and bypassing  AuthzSVNAccessFile and gives repo
> access to all valid users which exsits in LDAP directory. Does
> somebody know why it is causing this? Thanks
> Ravi.


I have a practically identical configuration (with slightly more complex
access rules) and it does work for me. I suggest you turn on verbose
logging in httpd and check the logs to see what's happening.

My config looks like this:

    RedirectMatch permanent ^(/repos)$ $1/
    <Location /repos/>
        AuthType basic
        AuthName "Subversion"
        AuthBasicProvider ldap

        AuthLDAPUrl "ldaps://ldap.example.com/ou=people,dc=example,dc=com?uid"
        AuthLDAPGroupAttribute memberUid
        AuthLDAPGroupAttributeIsDN off
        AuthLDAPBindDN cn=admin,dc=example,dc=com
        AuthLDAPBindPassword "example.com"

        <RequireAll>
            Require valid-user
            <Limit HEAD GET OPTIONS PROPFIND REPORT>
                <RequireAny>
                    # Read access
                    Require ldap-group cn=dev,ou=group,dc=example,dc=com
                    Require ldap-group cn=dev.readonly,ou=group,dc=example,dc=com
                </RequireAny>
            </Limit>
            <LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
                <RequireAny>
                    # Write access
                    Require ldap-group cn=dev,ou=group,dc=example,dc=com
                </RequireAny>			
            </LimitExcept>
        </RequireAll>

        DAV svn
        SVNParentPath /srv/repos
        SVNListParentPath on
        SVNPathAuthz short_circuit
        AuthzSVNAccessFile file:///srv/repos/admin/access.conf
    </Location>



-- Brane

Mime
View raw message