LDAP authz aliases with svn+ssh

[Owen Loy <ow...@gmail.com>]

Hi there,

I'm wondering if my desired setup is possible:

1. Using svn+ssh
2. Using pam_ldap to handle SSH access
3. Using authz-db to handle ACL (against LDAP accounts)

I'm running into a problem with #3. My current test setup is as follows:

svnserve.conf:
---------------------
[general]
authz-db = authz
...

authz:
---------
[aliases]
svnaccess = CN=svngroup,CN=groups,DC=example,DC=com

[/]
&svnaccess = rw

With this setup, SSH is no problem (file permissions are correct, LDAP
works fine, etc...), but SVN returns Not Authorized. To debug, I tried the
following scenarios:

authz with "local" user (works):
--------
[/]
user1 = rw


authz with LDAP alias for specific user (does not work):
--------
[aliases]
svnaccess = CN=user1,CN=users,DC=example,DC=com

[/]
&svnaccess = rw

Has anyone run this sort of setup successfully, or is able to determine
what I'm doing wrong? I'm 99% sure the DNs are correct (in that they work
for SSH purposes, and other non-related issues), but don't seem to work
within the authz file, even though the docs suggest it should.

Thanks!

Re: LDAP authz aliases with svn+ssh

[Patrick Burma <pa...@wandisco.com>]

You might try this to sync your authz file to an ldap group, it will write
in the entries for you, nice way to avoid issues with syntax perhaps?

http://www.thoughtspark.org/node/26

Never used it myself, meant to try it, but I've heard good things.

-Pat

On Thu, Jan 5, 2012 at 3:07 PM, Owen Loy <ow...@gmail.com> wrote:

> Hi there,
>
> I'm wondering if my desired setup is possible:
>
> 1. Using svn+ssh
> 2. Using pam_ldap to handle SSH access
> 3. Using authz-db to handle ACL (against LDAP accounts)
>
> I'm running into a problem with #3. My current test setup is as follows:
>
> svnserve.conf:
> ---------------------
> [general]
> authz-db = authz
> ...
>
> authz:
> ---------
> [aliases]
> svnaccess = CN=svngroup,CN=groups,DC=example,DC=com
>
> [/]
> &svnaccess = rw
>
> With this setup, SSH is no problem (file permissions are correct, LDAP
> works fine, etc...), but SVN returns Not Authorized. To debug, I tried the
> following scenarios:
>
> authz with "local" user (works):
> --------
> [/]
> user1 = rw
>
>
> authz with LDAP alias for specific user (does not work):
> --------
> [aliases]
> svnaccess = CN=user1,CN=users,DC=example,DC=com
>
> [/]
> &svnaccess = rw
>
> Has anyone run this sort of setup successfully, or is able to determine
> what I'm doing wrong? I'm 99% sure the DNs are correct (in that they work
> for SSH purposes, and other non-related issues), but don't seem to work
> within the authz file, even though the docs suggest it should.
>
> Thanks!
>

Re: LDAP authz aliases with svn+ssh

[Daniel Shahaf <da...@elego.de>]

I've not used LDAP in this way, but two things:

Owen Loy wrote on Thu, Jan 05, 2012 at 14:07:58 -0800:
> [aliases]
> svnaccess = CN=svngroup,CN=groups,DC=example,DC=com
> 

I don't think you can use groups this way, since the file parser isn't
aware of the semantics of LDAP.

> With this setup, SSH is no problem (file permissions are correct, LDAP
> works fine, etc...), but SVN returns Not Authorized. To debug, I tried the
> following scenarios:
> 
> authz with "local" user (works):
> --------
> [/]
> user1 = rw

Define "works".  Do you commit as 'svn commit --username=user1' over
svn+ssh://?

> authz with LDAP alias for specific user (does not work):
> --------
> [aliases]
> svnaccess = CN=user1,CN=users,DC=example,DC=com
> 
> [/]
> &svnaccess = rw
> 
> Has anyone run this sort of setup successfully, or is able to determine
> what I'm doing wrong? I'm 99% sure the DNs are correct (in that they work
> for SSH purposes, and other non-related issues), but don't seem to work
> within the authz file, even though the docs suggest it should.

Try and find what username svn looks up in the file.  It might be
mentioned in the --log-file.

(And if it isn't, you could create a dummy repository with "anon-access
= none", or an equivalent configuration using authz-db and the
$anonymous/$authenticated lhs tokens, to force svn to accept any
non-anonymous username.)