You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Johan Bogema <jo...@bogema.nl> on 2008/04/10 14:12:44 UTC
AuthzSVNAccessFile
Hi all,
I have a problem that I can't get rid of and that is quite a big
problem. I am setting up a new server infrastructure for the company
where I work, and have some trouble with the rights assignment for
Subversion in regard to the Tortoise client. Let me first lay out my
configuration:
OS: MS Server 2003 DataCenter
Apache: 2.2.6
SVN: 1.4.6
Configuration part of Apache with regard to SVN:
DAV svn
SVNParentPath D:\SVN
SVNListParentPath On
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain DOMAIN
SSPIOfferBasic On
AuthName "Subversion repositories"
AuthzSVNAccessFile D:\authzaccess
Require valid-user
SSLRequireSSL
layout of D:\authzaccess:
[groups]
admin = firstname.lastname,DOMAIN\\Firstname.Lastname,
[/]
* = r
[adminrepo:/]
@admin = rw
Now my problem is that I can only change things in my repositories (as
user from the admin group) when I have the following entry in d:
\authzaccess:
[/]
* = rw
As you might understand, this is not what I want but I can't seem to
find the solution anywhere on the internet. Have been searching now
for several days but my Tortoise client keeps on whining about
authentication errors. If I enable that entry, it's no problem to do
whatever in my repositories, but then it's possible for all
authenticated users from our domain DOMAIN.
I hope anyone of you knows where the problem lies.
Regards,
JB
Re: AuthzSVNAccessFile
Posted by Johan Bogema <jo...@bogema.nl>.
On 11 apr 2008, at 10:05, Johan Bogema wrote:
>
> On 11 apr 2008, at 09:35, Jean-Marc van Leerdam wrote:
>> Hi Johan,
>>
>> On 10/04/2008, Johan Bogema <jo...@bogema.nl> wrote:
>>
>> layout of D:\authzaccess:
>>
>> [groups]
>> admin = firstname.lastname,DOMAIN\\Firstname.Lastname,
>>
>> Have you tried it with lower case DOMAIN name and/or a single
>> backslash?
>>
>> And do you really use firstname.lastname to login, or do you use
>> another userID?
>>
>>
>> --
>> Regards,
>>
>> Jean-Marc
>>
>> ----------------
>> ___
>> // \\ @@ "De Chelonian Mobile"
>> / \_/ \/._) TortoiseSVN
>> <\_/_\_/ / The coolest Interface to (Sub)Version Control
>> /_/ \_\ Check out http://tortoisesvn.net
>
> Hello Jean-Marc,
>
> I do use Firstname.Lastname when a user is created in my AD domain.
> The format of the login is how I took it from my Apache Access and
> Error logfiles. If I enable * = rw, then I can login and make
> changes using those credentials, so the login is correct for my AD I
> think. But I did try with single backslash and lower case domain
> name without any different results. Let me give you a line from both
> my access and my error log:
>
> [Fri Apr 11 09:44:56 2008] [error] [client <ipaddress>] Access
> denied: 'DOMAIN\\Firstname.Lastname' PROPFIND adminrepo:/
>
> <ipaddress> - DOMAIN\\Firstname.Lastname [11/Apr/2008:09:45:09
> +0200] "OPTIONS /svn/adminrepo HTTP/1.1" 403 224 "-" "SVN/1.4.6
> (r28521) neon/0.27.2"
>
> Regards,
>
> Johan
Correction and apologies from my side,
Have tried this again, and it finally works. For some reason this
didn't work 2 days ago, but now it works. Thank you Jean-Marc for your
great answer. The problem was indeed with the double backslashes.
Regards and thanks again,
Johan
Re: AuthzSVNAccessFile
Posted by Johan Bogema <jo...@bogema.nl>.
On 11 apr 2008, at 09:35, Jean-Marc van Leerdam wrote:
> Hi Johan,
>
> On 10/04/2008, Johan Bogema <jo...@bogema.nl> wrote:
>
> layout of D:\authzaccess:
>
> [groups]
> admin = firstname.lastname,DOMAIN\\Firstname.Lastname,
>
> Have you tried it with lower case DOMAIN name and/or a single
> backslash?
>
> And do you really use firstname.lastname to login, or do you use
> another userID?
>
>
> --
> Regards,
>
> Jean-Marc
>
> ----------------
> ___
> // \\ @@ "De Chelonian Mobile"
> / \_/ \/._) TortoiseSVN
> <\_/_\_/ / The coolest Interface to (Sub)Version Control
> /_/ \_\ Check out http://tortoisesvn.net
Hello Jean-Marc,
I do use Firstname.Lastname when a user is created in my AD domain.
The format of the login is how I took it from my Apache Access and
Error logfiles. If I enable * = rw, then I can login and make changes
using those credentials, so the login is correct for my AD I think.
But I did try with single backslash and lower case domain name without
any different results. Let me give you a line from both my access and
my error log:
[Fri Apr 11 09:44:56 2008] [error] [client <ipaddress>] Access denied:
'DOMAIN\\Firstname.Lastname' PROPFIND adminrepo:/
<ipaddress> - DOMAIN\\Firstname.Lastname [11/Apr/2008:09:45:09 +0200]
"OPTIONS /svn/adminrepo HTTP/1.1" 403 224 "-" "SVN/1.4.6 (r28521) neon/
0.27.2"
Regards,
Johan
Re: AuthzSVNAccessFile
Posted by Jean-Marc van Leerdam <j....@gmail.com>.
Hi Johan,
On 10/04/2008, Johan Bogema <jo...@bogema.nl> wrote:
>
>
> layout of D:\authzaccess:
>
> *[groups]*
> *admin = firstname.lastname,DOMAIN\\Firstname.Lastname,*
>
Have you tried it with lower case DOMAIN name and/or a single backslash?
And do you really use firstname.lastname to login, or do you use another
userID?
--
Regards,
Jean-Marc
----------------
___
// \\ @@ "De Chelonian Mobile"
/ \_/ \/._) TortoiseSVN
<\_/_\_/ / The coolest Interface to (Sub)Version Control
/_/ \_\ Check out http://tortoisesvn.net
Re: AuthzSVNAccessFile
Posted by Johan Bogema <jo...@bogema.nl>.
On 10 apr 2008, at 16:29, Phil Pinkerton wrote:
>
> On Thu, Apr 10, 2008 at 10:12 AM, Johan Bogema <jo...@bogema.nl>
> wrote:
> Hi all,
>
> I have a problem that I can't get rid of and that is quite a big
> problem. I am setting up a new server infrastructure for the company
> where I work, and have some trouble with the rights assignment for
> Subversion in regard to the Tortoise client. Let me first lay out my
> configuration:
>
> OS: MS Server 2003 DataCenter
> Apache: 2.2.6
> SVN: 1.4.6
>
> Configuration part of Apache with regard to SVN:
>
> DAV svn
> SVNParentPath D:\SVN
> SVNListParentPath On
> AuthType SSPI
> SSPIAuth On
> SSPIAuthoritative On
> SSPIDomain DOMAIN
> SSPIOfferBasic On
> AuthName "Subversion repositories"
> AuthzSVNAccessFile D:\authzaccess
> Require valid-user
> SSLRequireSSL
>
> layout of D:\authzaccess:
>
> [groups]
> admin = firstname.lastname,DOMAIN\\Firstname.Lastname,
>
> [/]
> * = r
>
> [adminrepo:/]
> @admin = rw
>
> Now my problem is that I can only change things in my repositories
> (as user from the admin group) when I have the following entry in d:
> \authzaccess:
>
> [/]
> * = rw
>
> As you might understand, this is not what I want but I can't seem to
> find the solution anywhere on the internet. Have been searching now
> for several days but my Tortoise client keeps on whining about
> authentication errors. If I enable that entry, it's no problem to do
> whatever in my repositories, but then it's possible for all
> authenticated users from our domain DOMAIN.
>
> I hope anyone of you knows where the problem lies.
>
> Regards,
>
> JB
>
> try in this order:
> [/]
> @svnAdmins = rw
> * = r
Hi Phil,
Thanks for the reply, but this unfortunately does not solve the
problem. If I add @admin = rw to the [/] part, it does not change a
thing, neither when it is above or below the * = r.
The error log from apache gives the following information:
[Fri Apr 11 08:23:17 2008] [error] [client <ipaddress>] Access denied:
'DOMAIN\\Firstname.Lastname' MKACTIVITY adminrepo:
Regards,
JB