You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Dominic Anello <da...@danky.com> on 2004/05/01 03:53:15 UTC
Re: Active Directory authentication for Subversion
On 2004-04-30 14:52:33 +1000, Daniel F Garcia wrote:
> I'm trying to setup active directory authentication, but am not having any
> luck. This is what I have done do far.
----8<---
Hi - just implemented this. Assuming you have mod_auth_ldap installed
the following should work:
<Location /ec-svn>
DAV svn
SVNPath "/usr/local/svn/ec-svn/repo"
AuthzSVNAccessFile "/usr/local/svn/ec-svn/auth/access.ini"
AuthLDAPURL ldap://hoth/CN=Users,DC=isolution,DC=idx,DC=com?sAMAccountName?sub?(objectClass=user)
AuthLDAPBindDN "ISOLUTION\danello"
AuthLDAPBindPassword XXXXXXXX
AuthType Basic
AuthName "eCommerce SVN repository"
<LimitExcept MERGE>
Require valid-user
</LimitExcept>
</Location>
Where hoth is the AD server, ISOLUTION is the Windows domain and idx.com
is the internet domain.
I'm not an LDAP guru, I just Googled for LDAP Apache Active Directory
and adopted the info found at the page below for my own use.
http://www.wlug.org.nz/ActiveDirectoryAuthenticationNotes
Good luck!
--
Current soundtrack: 'Kinnie Star - Tidy - 02 - Ophelia'
Re: Active Directory authentication for Subversion
Posted by Dominic Anello <da...@danky.com>.
On 2004-05-01 14:30:17 +1000, Daniel F Garcia wrote:
> Thank you, thank you this worked really well. Also I replace your
> Limitexcept block with
>
> <LimitExcept GET>
> Require valid-user
> </LimitExcept>
>
> And now web browsing doesn't require authentication, but everything else
> does.
----8<----
Glad it worked. <LimitExcept MERGE> is required if you have something
like this in your AuthzSVN config file:
-------------------------
[/]
fred = r
[/foo]
fred = rw
[/bar]
fred = rw
-------------------------
Then if user fred tries to do something like:
$ svn cp http://server/svn/foo/baz http://server/svn/bar/baz -m "test"
He will get access denied by authz because svn sends a MERGE to the
common parent of /foo and /bar. The <LimitExcept> prevents MERGE
requests from being checked. I don't know if it has any security side
effects, but my repo is on an intranet anyway, so I'm not too concerned
about users hand-crafting malicious MERGE requests.
--
Current soundtrack: 'Kimya Dawson - My Cute Friend Sweet Princess - 6 -
The Beer'
RE: Active Directory authentication for Subversion
Posted by Daniel F Garcia <dg...@kobold.com.au>.
Thank you, thank you this worked really well. Also I replace your
Limitexcept block with
<LimitExcept GET>
Require valid-user
</LimitExcept>
And now web browsing doesn't require authentication, but everything else
does.
Daniel.
-----Original Message-----
From: Dominic Anello [mailto:danello@danky.com]
Sent: Saturday, 1 May 2004 1:53 PM
To: users@subversion.tigris.org
Subject: Re: Active Directory authentication for Subversion
On 2004-04-30 14:52:33 +1000, Daniel F Garcia wrote:
> I'm trying to setup active directory authentication, but am not having
> any luck. This is what I have done do far.
----8<---
Hi - just implemented this. Assuming you have mod_auth_ldap installed the
following should work:
<Location /ec-svn>
DAV svn
SVNPath "/usr/local/svn/ec-svn/repo"
AuthzSVNAccessFile "/usr/local/svn/ec-svn/auth/access.ini"
AuthLDAPURL
ldap://hoth/CN=Users,DC=isolution,DC=idx,DC=com?sAMAccountName?sub?(objectCl
ass=user)
AuthLDAPBindDN "ISOLUTION\danello"
AuthLDAPBindPassword XXXXXXXX
AuthType Basic
AuthName "eCommerce SVN repository"
<LimitExcept MERGE>
Require valid-user
</LimitExcept>
</Location>
Where hoth is the AD server, ISOLUTION is the Windows domain and idx.com is
the internet domain.
I'm not an LDAP guru, I just Googled for LDAP Apache Active Directory and
adopted the info found at the page below for my own use.
http://www.wlug.org.nz/ActiveDirectoryAuthenticationNotes
Good luck!
--
Current soundtrack: 'Kinnie Star - Tidy - 02 - Ophelia'
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org