You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Jonathan Williams <jc...@nyu.edu> on 2006/03/08 22:48:07 UTC
Usernames with @ in them break groups in AuthzSVNAccessFile
Hi Subversioneers,
I need to have usernames of the form user@domain since I am using
mod_auth_kerberos with apache to authenticate repository users.
Groups appear to stop working with more than one username of this form:
[groups]
admin = me@myedu boss@myedu
user = someone@myedu @admin
[/]
* =
@user = r
@admin = rw
I'm pretty sure that one breaks, but there's plenty of ways:
Failed to load the AuthzSVNAccessFile: An authz rule refers to g
roup 'someone @admin', which is undefined
Thanks.
--
Jonathan C. Williams
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Usernames with @ in them break groups in AuthzSVNAccessFile
Posted by Jonathan Williams <jc...@nyu.edu>.
I'm very sorry -- I put the wrong broken rule in! This case is known
to not work on my setup (Apache 2.2, OS X Tiger, svn 1.3.0, built
from DarwinPorts)
----
jcw9 = jcw9@ORLY.EDU
testgroup = @jcw9 test@ORLY.EDU
[/misc/test1]
* =
@testgroup = rw
----
[Mon Mar 13 11:58:27 2006] [error] [client 128.122.226.112] Failed to
load the AuthzSVNAccessFile: An authz rule refers to group 'jcw9
test@ORLY.EDU', which is undefined
[Mon Mar 13 11:58:27 2006] [error] [client 128.122.226.112] Access
denied: 'jcw9@ORLY.EDU' GET svn:/misc/test1
----
Switching the order of the testgroup line (`testgroup = test@ORLY.EDU
@jcw9`) still gives an access denied but without the
'AuthzSVNAccessFile' error.log entry
On Mar 10, 2006, at 2:22 AM, Kalin KOZHUHAROV wrote:
> Can you try to describe a bit more your situation? I am sure
> something else is b0rked.
I'm pretty sure this has *something* to do with mod_authz_svn as it
is generating a log entry that clearly shows it to be parsing the
file incorrectly.
--
Jonathan C. Williams
Web Programmer
Steinhardt School of Education
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Usernames with @ in them break groups in AuthzSVNAccessFile
Posted by Kalin KOZHUHAROV <ka...@thinrope.net>.
Jonathan Williams wrote:
> Hi Subversioneers,
>
> I need to have usernames of the form user@domain since I am using
> mod_auth_kerberos with apache to authenticate repository users. Groups
> appear to stop working with more than one username of this form:
>
>
> [groups]
> admin = me@myedu boss@myedu
> user = someone@myedu @admin
> [/]
> * =
> @user = r
> @admin = rw
>
> I'm pretty sure that one breaks, but there's plenty of ways:
>
> Failed to load the AuthzSVNAccessFile: An authz rule refers to g
> roup 'someone @admin', which is undefined
Well, it works for me here (subversion-1.3.0 on Gentoo Linux) with 20+ users, each in a 2+ groups, for about 10+ projects.
All users are user@domain and have been so for the last one year.
Can you try to describe a bit more your situation? I am sure something else is b0rked.
Check that you don't have special characters in your auth file (use editor like vim and highlight space).
Kalin.
--
|[ ~~~~~~~~~~~~~~~~~~~~~~ ]|
+-> http://ThinRope.net/ <-+
|[ ______________________ ]|
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Usernames with @ in them break groups in AuthzSVNAccessFile
Posted by Nick Thompson <ni...@agere.com>.
On Wednesday 08 March 2006 22:48, Jonathan Williams wrote:
> Hi Subversioneers,
>
> I need to have usernames of the form user@domain since I am using
> mod_auth_kerberos with apache to authenticate repository users.
There is another possible solution. There is a patch for mod_auth_kerb
to add an option that when set to off, doesn't cause the @DOMAIN bit
to be "added" to the authenticated user name. I use the patch and it
works well for us, since we don't care about the DOMAIN (we only have
one):
KrbAppendRealm off
I have the patch file, but it is squirreled away in the bug database
of mod_auth_kerb. It not clear whether the option will be added to
the next release of mod_auth_kerb.
--
Nick.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org