You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Dusty Yates <du...@gmail.com> on 2008/01/08 23:44:12 UTC

ldap auth with file auth for local user over https

I have ldap setup and working great.  I want to allow a local,
svnlocal, user on the svn server to access the repository (read-only).

I created an authz file:

[/]
* =
svnlocal = r

Then made the htpassword for the svnlocal account.

svnlocal:(omitted but working)

I changed my subversion.conf in the following ways:
* added AuthzSVNAccessFile line
* added file to AuthBasicProvider line
* added AuthUserFile line
* added require user line
so the section for this repository looks like (minor obfuscation changes):

<Location /repo>
   DAV svn
   SVNPath /svn/repo
   AuthzSVNAccessFile /svn/repo/conf/authz
   SSLRequireSSL
   AuthType basic
   AuthName "svn repository"
   AuthBasicProvider ldap file
   AuthLDAPURL "ldap://company.com:port/dc=company,dc=com?sAMAccountName"
   AuthLDAPBindDN "cn=bnd.apache,ou=bind accounts,ou=ldap
authentication,ou=security groups and accounts,dc=company,dc=com"
   AuthLDAPBindPassword (omitted but working)
   AuthzLDAPAuthoritative on
   require ldap-group cn=svnadmins,OU=Distribution
Lists,OU=IBS,DC=company,DC=com
   require ldap-group cn=engineers,OU=Distribution
Lists,OU=IBS,DC=company,DC=com
   AuthUserFile /etc/httpd/conf/htpasswd.repo
   require user svnlocal
</Location>

At first blush I believed this to be working - engineers and admins
can connect RW to the repository over https, and the local user can as
well.
HOWEVER: any other user can as well - even if they're not in the
groups specified.  This restriction worked prior to my changes.
How do I avoid having the [/] *= in my authz? without it even the
users auth'ed by ldap cannot write to the repository.

I'm finding great docs on describing each directive, but I think Iam
missing something in the interaction between authorization and
authentication.
Is the scheme I've described possible?  Advisable?

Thanks in advance for any advice or help.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org