You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "Kedar Sirshikar (ksirshik)" <ks...@cisco.com> on 2017/09/02 01:50:15 UTC
Re: Can i read/write(based on LDAP group) to SVN without using
AuthzSVNAccessFile directive
Hi Brane,
I tried to follow your suggestions. Please refer attached latest version of ‘subversion.conf’
1. I updated my subversion.conf to include ‘AuthLDAPGroupAttribute’ attribute. Its value is set to cn as cn attribute has the group name (to which user is assigned)
dn: uid=sssd_pb,ou=users,dc=sprint,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
cn: cn=Admin,ou=groups,dc=sprint,dc=com
gidNumber: 491
homeDirectory: /home/qns-svn
sn: sn_sssd_pb
uid: sssd_pb
uidNumber: 491
userPassword:: e1NTSEF9Qi94UDJVK3dtbWFDQW5hRVR5ZW1uL2RnenFudnBMdlNoaUxkOFE9P
Q==
2. I included cn in ‘Require ldap-group’ at line 43 in subversion.conf
Require ldap-group cn=Admin,ou=groups,dc=sprint,dc=com
3. I also tried turning ‘AuthLDAPGroupAttributeIsDN’ attribute on and off.
But none of the above attempt helped me to get sssd_pb user authorized in Admin/RW role. Currently sssd_pb user gets READONLY access by default.
Is there any way I can check for logs? If I get some relevant logs, I myself can dig down more.
I came across below 2 urls which claim that it is not possible to get rid of AuthzSVNAccessFile directive and you must use a file to configure groups and users.
http://grokbase.com/t/subversion/users/1477dcf8yc/how-to-control-access-of-a-subversion-repo-subfolder-via-ad-groups/oldest#responses_tab_top
https://github.com/whitlockjc/sync-ldap-groups-to-svn-authz
Now, I am little confused about whether it is really possible (or not) to fully avoid configuring groups and user names in a separate file.
Brane,
Appreciate your help in advance!
Depending upon your feedback I may have to decide if to build a python script or to explore more in current experiment.
Regards,
Kedar.
From: "Kedar Sirshikar (ksirshik)" <ks...@cisco.com>
Date: Monday, August 7, 2017 at 1:10 AM
To: Branko Čibej <br...@apache.org>, "users@subversion.apache.org" <us...@subversion.apache.org>
Subject: Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive
Hi Brane,
Thank you for reply.
I am providing some inputs about my experiement as of now.
I am using ‘httpd-2.2.15-54.el6.centos.x86_64’ httpd.
I have attached ldif file and ‘/etc/httpd/conf.d/subversion.conf’ files for your reference.
I have also attached ‘sssd.conf’ (to interact with LDAP).
Still I have not been able to grant read access to gidNumber: 500 and read/write access to gidNumber: 491 from ldap.
Do you see any obvious issue in attached files? Your advice will be a great help!
Regards,
Kedar.
From: Branko Čibej <br...@apache.org>
Organization: The Apache Software Foundation
Date: Monday, August 7, 2017 at 12:36 AM
To: "users@subversion.apache.org" <us...@subversion.apache.org>
Cc: "Kedar Sirshikar (ksirshik)" <ks...@cisco.com>
Subject: Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive
On 04.08.2017 18:39, Kedar Sirshikar (ksirshik) wrote:
Hi team,
I need some help on integration of SVN, Apache and LDAP.
Currently we are using ‘/var/www/svn/users-access-file’ to store SVN admin users.
Problem with this approach is if new admin users are added in LDAP then we have to change above file as well (for adding new users).
Also, storing user names in ‘/var/www/svn/users-access-file’ is always discouraged as it may violate security.
So, is there any way I can avoid using ‘/var/www/svn/users-access-file’ and achieve read/write access to SVN based on groups of LDAP users?
I am also investing but as I am new to this area so your help may improve my investigation.
Yes, this is easily done; here's an example of the access part of the httpd config file (for httpd 2.4.x):
<RequireAll>
Require valid-user
<Limit HEAD GET OPTIONS PROPFIND REPORT>
<RequireAny>
# Read access
Require ldap-group cn=svn.admin,ou=group,dc=example,dc=com
Require ldap-group cn=svn.readonly,ou=group,dc=example,dc=com
</RequireAny>
</Limit>
<LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
<RequireAny>
# Write access
Require ldap-group cn=svn.admin,ou=group,dc=example,dc=com
</RequireAny>
</LimitExcept>
</RequireAll>
-- Brane
Re: Can i read/write(based on LDAP group) to SVN without using
AuthzSVNAccessFile directive
Posted by "Kedar Sirshikar (ksirshik)" <ks...@cisco.com>.
Yes Johan, I will try and update you once I get some breakthrough
Thank you for your precious help.
On 9/6/17, 5:04 AM, "Johan Corveleyn" <jc...@gmail.com> wrote:
On Tue, Sep 5, 2017 at 11:31 PM, Kedar Sirshikar (ksirshik)
<ks...@cisco.com> wrote:
> Yes Brane, I changed the correct subversion configuration file
> (/etc/httpd/conf.d/subversion.conf) and I also restarted the server using
> ‘/etc/init.d/httpd restart’ command.
Okay, please take a step back and look around for any missing clues on
your system (we cannot do that from here).
If I summarize correctly, you still get errors, in the httpd error
log, with "Failed to load the AuthzSVNAccessFile: Can't open file '/
var/www/svn/users-access-file': No such file or directory", even
though you removed any reference of /var/www/svn/users-access-file
from your httpd configuration (and restarted httpd).
Clearly there must be some mixup. Apache httpd or Subversion will not
guess that filename out of thin air, and try to access it out of their
own initiative. There must be some remaining reference. It's up to you
to find it. Check for other conf files that may be involved in your
httpd configuration (one conf file can import another etc.). Perhaps
you can grep around a bit.
--
Johan
Re: Can i read/write(based on LDAP group) to SVN without using
AuthzSVNAccessFile directive
Posted by Johan Corveleyn <jc...@gmail.com>.
On Tue, Sep 5, 2017 at 11:31 PM, Kedar Sirshikar (ksirshik)
<ks...@cisco.com> wrote:
> Yes Brane, I changed the correct subversion configuration file
> (/etc/httpd/conf.d/subversion.conf) and I also restarted the server using
> ‘/etc/init.d/httpd restart’ command.
Okay, please take a step back and look around for any missing clues on
your system (we cannot do that from here).
If I summarize correctly, you still get errors, in the httpd error
log, with "Failed to load the AuthzSVNAccessFile: Can't open file '/
var/www/svn/users-access-file': No such file or directory", even
though you removed any reference of /var/www/svn/users-access-file
from your httpd configuration (and restarted httpd).
Clearly there must be some mixup. Apache httpd or Subversion will not
guess that filename out of thin air, and try to access it out of their
own initiative. There must be some remaining reference. It's up to you
to find it. Check for other conf files that may be involved in your
httpd configuration (one conf file can import another etc.). Perhaps
you can grep around a bit.
--
Johan
Re: Can i read/write(based on LDAP group) to SVN without using
AuthzSVNAccessFile directive
Posted by "Kedar Sirshikar (ksirshik)" <ks...@cisco.com>.
Yes Brane, I changed the correct subversion configuration file (/etc/httpd/conf.d/subversion.conf) and I also restarted the server using ‘/etc/init.d/httpd restart’ command.
Regards,
Kedar.
From: "Kedar Sirshikar (ksirshik)" <ks...@cisco.com>
Date: Tuesday, September 5, 2017 at 12:25 PM
To: Branko Čibej <br...@apache.org>, "users@subversion.apache.org" <us...@subversion.apache.org>
Subject: Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive
Hi Brane,
I just found out that it is still referring to ‘/var/www/svn/users-access-file’ even after removing it from subversion.conf. I also deleted ‘users-access-file’ file from ‘/var/www/svn’
I even tried commenting below line from subversion.conf but still same error.
#LoadModule authz_svn_module modules/mod_authz_svn.so
In every case, I am still getting 403 error in logs:
[Tue Sep 05 08:11:33 2017] [error] [client 172.16.2.14] (2)No such file or directory: Failed to load the AuthzSVNAccessFile: Can't open file '/ var/www/svn/users-access-file': No such file or directory
I am not able to understand why it is still referring to earlier configured ‘AuthzSVNAccessFile /var/www/svn/users-access-file’ directive.
Regards,
Kedar.
From: "Kedar Sirshikar (ksirshik)" <ks...@cisco.com>
Date: Sunday, September 3, 2017 at 12:36 PM
To: Branko Čibej <br...@apache.org>, "users@subversion.apache.org" <us...@subversion.apache.org>
Subject: Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive
Thank you, Brane, for your reply.
I updated subversion.conf to include group’s attribute memberUid
AuthLDAPURL ldaps://ldap_l.cisco.com:10648/dc=sprint,dc=com?hasSubordinates,objectClass?sub?uid
AuthLDAPBindDN uid=admin,ou=system
AuthLDAPBindPassword secret
AuthzLDAPAuthoritative on
AuthLDAPGroupAttributeIsDN off
#AuthLDAPGroupAttribute cn
AuthLDAPGroupAttribute memberUid
#<RequireAll>
Require valid-user
<Limit HEAD GET OPTIONS PROPFIND REPORT>
#<RequireAny>
# Read access
Require ldap-group cn=User,ou=groups,dc=sprint,dc=com
#</RequireAny>
</Limit>
<LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
#<RequireAny>
# Write access
Require ldap-group cn=Roles,ou=groups,dc=sprint,dc=com
Require ldap-attribute gidNumber=491
#Require ldap-group cn=Admin,ou=groups,dc=sprint,dc=com
#</RequireAny>
</LimitExcept>
#</RequireAll>
I have also updated screen shots for sssd_pb and Roles group. I feel there is something wrong in this ldif because of which it is still not working.
Output of ldapsearch is
KSIRSHIK-M-33TW:~ ksirshik$ ldapsearch -H ldaps://ldap_l.cisco.com:10648 -x -D "uid=admin,ou=system" -W -b "dc=sprint,dc=com" -s sub -a always -z 1000 "uid=sssd_pb"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=sprint,dc=com> with scope subtree
# filter: uid=sssd_pb
# requesting: ALL
#
# sssd_pb, Admin, groups, sprint.com
dn: uid=sssd_pb,cn=Admin,ou=groups,dc=sprint,dc=com
sn: sn_sssd_pb
cn: cn_sssd_pb
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
homeDirectory: /home/qns-svn
gidNumber: 491
uidNumber: 491
userPassword:: e1NTSEF9dGFPUmpYdTZ4TUxUemdmTjJVVlE3TkJiRVQwYkVqZWxTQ2V2T3c9PQ=
=
uid: sssd_pb
# sssd_pb, users, sprint.com
dn: uid=sssd_pb,ou=users,dc=sprint,dc=com
sn: sn_sssd_pb
cn: cn=Admin,ou=groups,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
homeDirectory: /home/qns-svn
gidNumber: 491
uidNumber: 491
userPassword:: e1NTSEF9Qi94UDJVK3dtbWFDQW5hRVR5ZW1uL2RnenFudnBMdlNoaUxkOFE9PQ=
=
uid: sssd_pb
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
KSIRSHIK-M-33TW:~ ksirshik$
Regards,
Kedar.
From: Branko Čibej <br...@apache.org>
Organization: The Apache Software Foundation
Date: Saturday, September 2, 2017 at 5:07 AM
To: "Kedar Sirshikar (ksirshik)" <ks...@cisco.com>, "users@subversion.apache.org" <us...@subversion.apache.org>
Subject: Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive
On 02.09.2017 03:50, Kedar Sirshikar (ksirshik) wrote:
Hi Brane,
I tried to follow your suggestions. Please refer attached latest version of ‘subversion.conf’
1. I updated my subversion.conf to include ‘AuthLDAPGroupAttribute’ attribute. Its value is set to cn as cn attribute has the group name (to which user is assigned)
AuthLDAPGroupAttribute is the name of the group's member list attribute, not the user's primary group attribute.
Is there any way I can check for logs? If I get some relevant logs, I myself can dig down more.
You should have Apache server logs available. If they're not detailed enough, you can increase the log verbosity.
I came across below 2 urls which claim that it is not possible to get rid of AuthzSVNAccessFile directive and you must use a file to configure groups and users.
http://grokbase.com/t/subversion/users/1477dcf8yc/how-to-control-access-of-a-subversion-repo-subfolder-via-ad-groups/oldest#responses_tab_top
https://github.com/whitlockjc/sync-ldap-groups-to-svn-authz
Now, I am little confused about whether it is really possible (or not) to fully avoid configuring groups and user names in a separate file.
That depends on what you want to do. If you only want to control read-only vs. read-write access to the whole repository, you can do that in the Apache config, as I showed you. If you want more fine-grained access control, that's what the Subversion authz file is for. If you want to do that per-user, then you will have to define users (and/or groups) in that file. And yes, there are tools out there for automatically generating user and group lists for the Subversion authz file from LDAP.
-- Brane
Re: Can i read/write(based on LDAP group) to SVN without using
AuthzSVNAccessFile directive
Posted by Branko Čibej <br...@apache.org>.
On 05.09.2017 21:25, Kedar Sirshikar (ksirshik) wrote:
>
> Hi Brane,
>
> I just found out that it is still referring to
> ‘/var/www/svn/users-access-file’ even after removing it from
> subversion.conf. I also deleted ‘users-access-file’ file from
> ‘/var/www/svn’
>
> I even tried commenting below line from subversion.conf but still same
> error.
>
> #LoadModule authz_svn_module modules/mod_authz_svn.so
>
>
>
> In every case, I am still getting 403 error in logs:
>
>
>
> [Tue Sep 05 08:11:33 2017] [error] [client 172.16.2.14] (2)No such
> file or directory: Failed to load the AuthzSVNAccessFile: Can't open
> file '/ var/www/svn/users-access-file': No such file or directory
>
>
>
> I am not able to understand why it is still referring to earlier
> configured ‘AuthzSVNAccessFile /var/www/svn/users-access-file’ directive.
>
Did you change the right Apache config file? Did you restart the server
after changing it? And so on. There are so many things that could be
going wrong that it's quite hard to guess, from the data in you mails,
how to fix them.
-- Brane
Re: Can i read/write(based on LDAP group) to SVN without using
AuthzSVNAccessFile directive
Posted by "Kedar Sirshikar (ksirshik)" <ks...@cisco.com>.
Hi Brane,
I just found out that it is still referring to ‘/var/www/svn/users-access-file’ even after removing it from subversion.conf. I also deleted ‘users-access-file’ file from ‘/var/www/svn’
I even tried commenting below line from subversion.conf but still same error.
#LoadModule authz_svn_module modules/mod_authz_svn.so
In every case, I am still getting 403 error in logs:
[Tue Sep 05 08:11:33 2017] [error] [client 172.16.2.14] (2)No such file or directory: Failed to load the AuthzSVNAccessFile: Can't open file '/ var/www/svn/users-access-file': No such file or directory
I am not able to understand why it is still referring to earlier configured ‘AuthzSVNAccessFile /var/www/svn/users-access-file’ directive.
Regards,
Kedar.
From: "Kedar Sirshikar (ksirshik)" <ks...@cisco.com>
Date: Sunday, September 3, 2017 at 12:36 PM
To: Branko Čibej <br...@apache.org>, "users@subversion.apache.org" <us...@subversion.apache.org>
Subject: Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive
Thank you, Brane, for your reply.
I updated subversion.conf to include group’s attribute memberUid
AuthLDAPURL ldaps://ldap_l.cisco.com:10648/dc=sprint,dc=com?hasSubordinates,objectClass?sub?uid
AuthLDAPBindDN uid=admin,ou=system
AuthLDAPBindPassword secret
AuthzLDAPAuthoritative on
AuthLDAPGroupAttributeIsDN off
#AuthLDAPGroupAttribute cn
AuthLDAPGroupAttribute memberUid
#<RequireAll>
Require valid-user
<Limit HEAD GET OPTIONS PROPFIND REPORT>
#<RequireAny>
# Read access
Require ldap-group cn=User,ou=groups,dc=sprint,dc=com
#</RequireAny>
</Limit>
<LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
#<RequireAny>
# Write access
Require ldap-group cn=Roles,ou=groups,dc=sprint,dc=com
Require ldap-attribute gidNumber=491
#Require ldap-group cn=Admin,ou=groups,dc=sprint,dc=com
#</RequireAny>
</LimitExcept>
#</RequireAll>
I have also updated screen shots for sssd_pb and Roles group. I feel there is something wrong in this ldif because of which it is still not working.
Output of ldapsearch is
KSIRSHIK-M-33TW:~ ksirshik$ ldapsearch -H ldaps://ldap_l.cisco.com:10648 -x -D "uid=admin,ou=system" -W -b "dc=sprint,dc=com" -s sub -a always -z 1000 "uid=sssd_pb"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=sprint,dc=com> with scope subtree
# filter: uid=sssd_pb
# requesting: ALL
#
# sssd_pb, Admin, groups, sprint.com
dn: uid=sssd_pb,cn=Admin,ou=groups,dc=sprint,dc=com
sn: sn_sssd_pb
cn: cn_sssd_pb
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
homeDirectory: /home/qns-svn
gidNumber: 491
uidNumber: 491
userPassword:: e1NTSEF9dGFPUmpYdTZ4TUxUemdmTjJVVlE3TkJiRVQwYkVqZWxTQ2V2T3c9PQ=
=
uid: sssd_pb
# sssd_pb, users, sprint.com
dn: uid=sssd_pb,ou=users,dc=sprint,dc=com
sn: sn_sssd_pb
cn: cn=Admin,ou=groups,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
homeDirectory: /home/qns-svn
gidNumber: 491
uidNumber: 491
userPassword:: e1NTSEF9Qi94UDJVK3dtbWFDQW5hRVR5ZW1uL2RnenFudnBMdlNoaUxkOFE9PQ=
=
uid: sssd_pb
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
KSIRSHIK-M-33TW:~ ksirshik$
Regards,
Kedar.
From: Branko Čibej <br...@apache.org>
Organization: The Apache Software Foundation
Date: Saturday, September 2, 2017 at 5:07 AM
To: "Kedar Sirshikar (ksirshik)" <ks...@cisco.com>, "users@subversion.apache.org" <us...@subversion.apache.org>
Subject: Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive
On 02.09.2017 03:50, Kedar Sirshikar (ksirshik) wrote:
Hi Brane,
I tried to follow your suggestions. Please refer attached latest version of ‘subversion.conf’
1. I updated my subversion.conf to include ‘AuthLDAPGroupAttribute’ attribute. Its value is set to cn as cn attribute has the group name (to which user is assigned)
AuthLDAPGroupAttribute is the name of the group's member list attribute, not the user's primary group attribute.
Is there any way I can check for logs? If I get some relevant logs, I myself can dig down more.
You should have Apache server logs available. If they're not detailed enough, you can increase the log verbosity.
I came across below 2 urls which claim that it is not possible to get rid of AuthzSVNAccessFile directive and you must use a file to configure groups and users.
http://grokbase.com/t/subversion/users/1477dcf8yc/how-to-control-access-of-a-subversion-repo-subfolder-via-ad-groups/oldest#responses_tab_top
https://github.com/whitlockjc/sync-ldap-groups-to-svn-authz
Now, I am little confused about whether it is really possible (or not) to fully avoid configuring groups and user names in a separate file.
That depends on what you want to do. If you only want to control read-only vs. read-write access to the whole repository, you can do that in the Apache config, as I showed you. If you want more fine-grained access control, that's what the Subversion authz file is for. If you want to do that per-user, then you will have to define users (and/or groups) in that file. And yes, there are tools out there for automatically generating user and group lists for the Subversion authz file from LDAP.
-- Brane
Re: Can i read/write(based on LDAP group) to SVN without using
AuthzSVNAccessFile directive
Posted by "Kedar Sirshikar (ksirshik)" <ks...@cisco.com>.
Thank you, Brane, for your reply.
I updated subversion.conf to include group’s attribute memberUid
AuthLDAPURL ldaps://ldap_l.cisco.com:10648/dc=sprint,dc=com?hasSubordinates,objectClass?sub?uid
AuthLDAPBindDN uid=admin,ou=system
AuthLDAPBindPassword secret
AuthzLDAPAuthoritative on
AuthLDAPGroupAttributeIsDN off
#AuthLDAPGroupAttribute cn
AuthLDAPGroupAttribute memberUid
#<RequireAll>
Require valid-user
<Limit HEAD GET OPTIONS PROPFIND REPORT>
#<RequireAny>
# Read access
Require ldap-group cn=User,ou=groups,dc=sprint,dc=com
#</RequireAny>
</Limit>
<LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
#<RequireAny>
# Write access
Require ldap-group cn=Roles,ou=groups,dc=sprint,dc=com
Require ldap-attribute gidNumber=491
#Require ldap-group cn=Admin,ou=groups,dc=sprint,dc=com
#</RequireAny>
</LimitExcept>
#</RequireAll>
I have also updated screen shots for sssd_pb and Roles group. I feel there is something wrong in this ldif because of which it is still not working.
Output of ldapsearch is
KSIRSHIK-M-33TW:~ ksirshik$ ldapsearch -H ldaps://ldap_l.cisco.com:10648 -x -D "uid=admin,ou=system" -W -b "dc=sprint,dc=com" -s sub -a always -z 1000 "uid=sssd_pb"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=sprint,dc=com> with scope subtree
# filter: uid=sssd_pb
# requesting: ALL
#
# sssd_pb, Admin, groups, sprint.com
dn: uid=sssd_pb,cn=Admin,ou=groups,dc=sprint,dc=com
sn: sn_sssd_pb
cn: cn_sssd_pb
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
homeDirectory: /home/qns-svn
gidNumber: 491
uidNumber: 491
userPassword:: e1NTSEF9dGFPUmpYdTZ4TUxUemdmTjJVVlE3TkJiRVQwYkVqZWxTQ2V2T3c9PQ=
=
uid: sssd_pb
# sssd_pb, users, sprint.com
dn: uid=sssd_pb,ou=users,dc=sprint,dc=com
sn: sn_sssd_pb
cn: cn=Admin,ou=groups,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
homeDirectory: /home/qns-svn
gidNumber: 491
uidNumber: 491
userPassword:: e1NTSEF9Qi94UDJVK3dtbWFDQW5hRVR5ZW1uL2RnenFudnBMdlNoaUxkOFE9PQ=
=
uid: sssd_pb
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
KSIRSHIK-M-33TW:~ ksirshik$
Regards,
Kedar.
From: Branko Čibej <br...@apache.org>
Organization: The Apache Software Foundation
Date: Saturday, September 2, 2017 at 5:07 AM
To: "Kedar Sirshikar (ksirshik)" <ks...@cisco.com>, "users@subversion.apache.org" <us...@subversion.apache.org>
Subject: Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive
On 02.09.2017 03:50, Kedar Sirshikar (ksirshik) wrote:
Hi Brane,
I tried to follow your suggestions. Please refer attached latest version of ‘subversion.conf’
1. I updated my subversion.conf to include ‘AuthLDAPGroupAttribute’ attribute. Its value is set to cn as cn attribute has the group name (to which user is assigned)
AuthLDAPGroupAttribute is the name of the group's member list attribute, not the user's primary group attribute.
Is there any way I can check for logs? If I get some relevant logs, I myself can dig down more.
You should have Apache server logs available. If they're not detailed enough, you can increase the log verbosity.
I came across below 2 urls which claim that it is not possible to get rid of AuthzSVNAccessFile directive and you must use a file to configure groups and users.
http://grokbase.com/t/subversion/users/1477dcf8yc/how-to-control-access-of-a-subversion-repo-subfolder-via-ad-groups/oldest#responses_tab_top
https://github.com/whitlockjc/sync-ldap-groups-to-svn-authz
Now, I am little confused about whether it is really possible (or not) to fully avoid configuring groups and user names in a separate file.
That depends on what you want to do. If you only want to control read-only vs. read-write access to the whole repository, you can do that in the Apache config, as I showed you. If you want more fine-grained access control, that's what the Subversion authz file is for. If you want to do that per-user, then you will have to define users (and/or groups) in that file. And yes, there are tools out there for automatically generating user and group lists for the Subversion authz file from LDAP.
-- Brane
Re: Can i read/write(based on LDAP group) to SVN without using
AuthzSVNAccessFile directive
Posted by Branko Čibej <br...@apache.org>.
On 02.09.2017 03:50, Kedar Sirshikar (ksirshik) wrote:
>
> Hi Brane,
>
> I tried to follow your suggestions. Please refer attached latest
> version of ‘subversion.conf’
>
> 1. I updated my subversion.conf to include
> ‘AuthLDAPGroupAttribute’ attribute. Its value is set to cn as cn
> attribute has the group name (to which user is assigned)
>
AuthLDAPGroupAttribute is the name of the group's member list attribute,
not the user's primary group attribute.
> Is there any way I can check for logs? If I get some relevant logs, I
> myself can dig down more.
>
You should have Apache server logs available. If they're not detailed
enough, you can increase the log verbosity.
> I came across below 2 urls which claim that it is not possible to get
> rid of AuthzSVNAccessFile directive and you must use a file to
> configure groups and users.
>
> http://grokbase.com/t/subversion/users/1477dcf8yc/how-to-control-access-of-a-subversion-repo-subfolder-via-ad-groups/oldest#responses_tab_top
>
> https://github.com/whitlockjc/sync-ldap-groups-to-svn-authz
>
>
>
> Now, I am little confused about whether it is really possible (or not)
> to fully avoid configuring groups and user names in a separate file.
>
That depends on what you want to do. If you only want to control
read-only vs. read-write access to the whole repository, you can do that
in the Apache config, as I showed you. If you want more fine-grained
access control, that's what the Subversion authz file is for. If you
want to do that per-user, then you will have to define users (and/or
groups) in that file. And yes, there are tools out there for
automatically generating user and group lists for the Subversion authz
file from LDAP.
-- Brane