subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Branko Čibej <br...@apache.org>
Subject Re: Check Path based authorization
Date Wed, 12 Dec 2018 12:59:24 GMT
[Please do not top-post on this list.]

On 12.12.2018 09:25, Stuempfig, Thomas wrote:
> Hi Brane,
>
> sorry i cannot post the contents of VisualSVN-WinAuthz.ini file since it is company security
related.
> I will take some time to setup a separate Demo LDAP, but this will take some time.
>
> But basically my observation is
>
> 1) You have ldap group "GroupA"
> 2) Within that group you have users user_a and user_b (memberOf Attribute)
>
> now
> 3)  you setup your  repo authz file
> *****************************
> [/]
> user_a          rw
> GroupA          rw
> *****************************
>
> (I explicity do not include something like Group_A=user_a,user_b and set @Group_A rw
in authz file as this would duplicate ldap definition
> of Group membership)
>
> svnauthz gives "rw" for user_a and "Result no" for user_b
>
>
>
> my guess is that svnauthz does not evaluate the actual ldap info and ony cares about
groups defined in authz file whereas "svn --username .. ." does authenticate with the ldap-group.
 If I am thinking about the svnauthz commandline, svnauthz has no information about the ldap
connection which sits in apache httpd.conf.

As Johan already wrote, Subversion does not look anywhere but in its
authorisation files for group definitions. Not LDAP, nor AD, nor any
other group directory. If your groups are defined in LDAP, then you very
likely already have a tool that extracts them from there into the proper
format for Subversion; in that case, all you need to do is tell svnauthz
about that file, see the '--groups-file' option.


-- Brane



> -----Original Message-----
> From: Branko Čibej [mailto:brane@apache.org]
> Sent: Dienstag, 11. Dezember 2018 20:54
> To: Stuempfig, Thomas (DF PL S&SE DE PSM EAI) <thomas.stuempfig@siemens.com>;
users@subversion.apache.org
> Subject: Re: Check Path based authorization
>
> On 11.12.2018 18:40, Stuempfig, Thomas wrote:
>> Hi Brane,
>> well after testing the tool does not actually do what i would like. But it is giving
me a starting point / work around.
>> I tested the tool with Visualsvn Server on windows
>>
>>
>> Steps to reproduce
>> 1) configure basic windows authentication
>>
>> 2) grant" rw" access to the repository root path for AD group
>>         Visualsvn server places the objectSid
>> S-1-1-11-111111111-111111111-11111111-11111  of the group in the
>> VisualSVN-WinAuthz.ini file of the repository
>>
>> 3) svnauthz.exe accessof --username S-2-2-22-222222222-22222222-222222222-22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini
>>   Where username is a member of the AD group objectSid
>> S-1-1-11-111111111-111111111-11111111-11111
>>  Result no
>>
>> But
>> 4) svnauthz.exe accessof --username
>> S-1-1-11-111111111-111111111-11111111-11111  22222
>> d:\repositories\test\conf\VisualSVN-WinAuthz.ini
>> Gives "rw"
> I really have no idea what the WinAuthz.ini file is and what VisualSVN does with it.
It's impossible to say if your result is expected if we don't see the contents of the authz
file.
>
> But yes, 'svnauthz' will calculate access for users, not for groups. A user can be a
member of several groups and the actual rights she has can be a combination of rights granted
to the groups.
>
> -- Brane
>
> -----------------
> Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft
mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft:
Köln; Registergericht: Amtsgericht Köln, HRB 84564


Mime
View raw message