subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kedar Sirshikar (ksirshik)" <ksirs...@cisco.com>
Subject Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive
Date Mon, 07 Aug 2017 08:10:26 GMT
Hi Brane,
Thank you for reply.

I am providing some inputs about my experiement as of now.
I am using ‘httpd-2.2.15-54.el6.centos.x86_64’ httpd.
I have attached ldif file and ‘/etc/httpd/conf.d/subversion.conf’ files for your reference.
I have also attached ‘sssd.conf’ (to interact with LDAP).

Still I have not been able to grant read access to gidNumber: 500 and read/write access to
gidNumber: 491 from ldap.
Do you see any obvious issue in attached files? Your advice will be a great help!

Regards,
Kedar.

From: Branko Čibej <brane@apache.org>
Organization: The Apache Software Foundation
Date: Monday, August 7, 2017 at 12:36 AM
To: "users@subversion.apache.org" <users@subversion.apache.org>
Cc: "Kedar Sirshikar (ksirshik)" <ksirshik@cisco.com>
Subject: Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile
directive

On 04.08.2017 18:39, Kedar Sirshikar (ksirshik) wrote:
Hi team,
I need some help on integration of SVN, Apache and LDAP.

Currently we are using ‘/var/www/svn/users-access-file’ to store SVN admin users.
Problem with this approach is if new admin users are added in LDAP then we have to change
above file as well (for adding new users).
Also, storing user names in ‘/var/www/svn/users-access-file’ is always discouraged as
it may violate security.

So, is there any way I can avoid using ‘/var/www/svn/users-access-file’ and achieve read/write
access to SVN based on groups of LDAP users?
I am also investing but as I am new to this area so your help may improve my investigation.

Yes, this is easily done; here's an example of the access part of the httpd config file (for
httpd 2.4.x):

        <RequireAll>

            Require valid-user

            <Limit HEAD GET OPTIONS PROPFIND REPORT>

                <RequireAny>

                    # Read access

                    Require ldap-group cn=svn.admin,ou=group,dc=example,dc=com

                    Require ldap-group cn=svn.readonly,ou=group,dc=example,dc=com

                </RequireAny>

            </Limit>

            <LimitExcept HEAD GET OPTIONS PROPFIND REPORT>

                <RequireAny>

                    # Write access

                    Require ldap-group cn=svn.admin,ou=group,dc=example,dc=com

                </RequireAny>

            </LimitExcept>

        </RequireAll>



-- Brane

Mime
View raw message