You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Owen Loy <ow...@gmail.com> on 2012/01/05 23:07:58 UTC
LDAP authz aliases with svn+ssh
Hi there,
I'm wondering if my desired setup is possible:
1. Using svn+ssh
2. Using pam_ldap to handle SSH access
3. Using authz-db to handle ACL (against LDAP accounts)
I'm running into a problem with #3. My current test setup is as follows:
svnserve.conf:
---------------------
[general]
authz-db = authz
...
authz:
---------
[aliases]
svnaccess = CN=svngroup,CN=groups,DC=example,DC=com
[/]
&svnaccess = rw
With this setup, SSH is no problem (file permissions are correct, LDAP
works fine, etc...), but SVN returns Not Authorized. To debug, I tried the
following scenarios:
authz with "local" user (works):
--------
[/]
user1 = rw
authz with LDAP alias for specific user (does not work):
--------
[aliases]
svnaccess = CN=user1,CN=users,DC=example,DC=com
[/]
&svnaccess = rw
Has anyone run this sort of setup successfully, or is able to determine
what I'm doing wrong? I'm 99% sure the DNs are correct (in that they work
for SSH purposes, and other non-related issues), but don't seem to work
within the authz file, even though the docs suggest it should.
Thanks!
Re: LDAP authz aliases with svn+ssh
Posted by Patrick Burma <pa...@wandisco.com>.
You might try this to sync your authz file to an ldap group, it will write
in the entries for you, nice way to avoid issues with syntax perhaps?
http://www.thoughtspark.org/node/26
Never used it myself, meant to try it, but I've heard good things.
-Pat
On Thu, Jan 5, 2012 at 3:07 PM, Owen Loy <ow...@gmail.com> wrote:
> Hi there,
>
> I'm wondering if my desired setup is possible:
>
> 1. Using svn+ssh
> 2. Using pam_ldap to handle SSH access
> 3. Using authz-db to handle ACL (against LDAP accounts)
>
> I'm running into a problem with #3. My current test setup is as follows:
>
> svnserve.conf:
> ---------------------
> [general]
> authz-db = authz
> ...
>
> authz:
> ---------
> [aliases]
> svnaccess = CN=svngroup,CN=groups,DC=example,DC=com
>
> [/]
> &svnaccess = rw
>
> With this setup, SSH is no problem (file permissions are correct, LDAP
> works fine, etc...), but SVN returns Not Authorized. To debug, I tried the
> following scenarios:
>
> authz with "local" user (works):
> --------
> [/]
> user1 = rw
>
>
> authz with LDAP alias for specific user (does not work):
> --------
> [aliases]
> svnaccess = CN=user1,CN=users,DC=example,DC=com
>
> [/]
> &svnaccess = rw
>
> Has anyone run this sort of setup successfully, or is able to determine
> what I'm doing wrong? I'm 99% sure the DNs are correct (in that they work
> for SSH purposes, and other non-related issues), but don't seem to work
> within the authz file, even though the docs suggest it should.
>
> Thanks!
>
Re: LDAP authz aliases with svn+ssh
Posted by Daniel Shahaf <da...@elego.de>.
I've not used LDAP in this way, but two things:
Owen Loy wrote on Thu, Jan 05, 2012 at 14:07:58 -0800:
> [aliases]
> svnaccess = CN=svngroup,CN=groups,DC=example,DC=com
>
I don't think you can use groups this way, since the file parser isn't
aware of the semantics of LDAP.
> With this setup, SSH is no problem (file permissions are correct, LDAP
> works fine, etc...), but SVN returns Not Authorized. To debug, I tried the
> following scenarios:
>
> authz with "local" user (works):
> --------
> [/]
> user1 = rw
Define "works". Do you commit as 'svn commit --username=user1' over
svn+ssh://?
> authz with LDAP alias for specific user (does not work):
> --------
> [aliases]
> svnaccess = CN=user1,CN=users,DC=example,DC=com
>
> [/]
> &svnaccess = rw
>
> Has anyone run this sort of setup successfully, or is able to determine
> what I'm doing wrong? I'm 99% sure the DNs are correct (in that they work
> for SSH purposes, and other non-related issues), but don't seem to work
> within the authz file, even though the docs suggest it should.
Try and find what username svn looks up in the file. It might be
mentioned in the --log-file.
(And if it isn't, you could create a dummy repository with "anon-access
= none", or an equivalent configuration using authz-db and the
$anonymous/$authenticated lhs tokens, to force svn to accept any
non-anonymous username.)