You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by j s <jb...@yahoo.com> on 2011/11/15 14:29:29 UTC
user access
Have svn running on windows/apache and currently dev team accesses svn repo's using http and tortoisesvn
They access the repos using their domain credentials set up in apache config.
we now have a group of temps that we want to create a new repo for and that they should only access that repo either by using uname/pwd or via domain access.
current set up
[server name]\c:\svnrepo
\product1 ---->[dev accesses this using domain\uname&pwd]
\product2---->[dev accesses this using domain\uname&pwd]
\product3---->[dev accesses this using domain\uname&pwd]
\temprepo---->[dev accesses this using domain\uname&pwd || the temp lackies access it using their uname and pwd only for this repo]
Is this set up possible? how would i go about it?
am open to changing access type based on best practise
Re: user access with subversion edge
Posted by j s <jb...@yahoo.com>.
Downloaded subversion edge to run on my current server serving svn 1.5.x with apache and repo's accessed via HTTP
figured i use subversion edge to get the latest svn server - 1.7.1 as i could not find just the binaries to replace over my existing installation.
in my 1.5.x i had this in my apache\conf\httpd.conf file
<Location /SVN>
> SSPIAuth On
> SSPIAuthoritative On
> SSPIDomain <domaincontroller>
> SSPIOmitDomain on
> SSPIUsernameCase lower
> SSPIPerRequestAuth on
> SSPIOfferBasic On
> DAV svn
> SVNListParentPath on
> SVNParentPath F:\SVN
> #SVNIndexXSLT "/svnindex.xsl"
> AuthType SSPI
> AuthName "Subversion repositories"
> #AuthUserFile passwd
> AuthzSVNAccessFile F:/SVN/auth.conf
> Require valid-user
> Require group "DOMAIN\COMPANYNAME"
> </Location>
With subversion edge, i have things configured - however when i try to access my repo using [domainname]\[username] which previously worked, does not work with subversion edge. does subversion edge not support this?
Re: user access
Posted by j s <jb...@yahoo.com>.
________________________________
From: "Cooke, Mark" <ma...@siemens.com>
To: j s <jb...@yahoo.com>; "users@subversion.apache.org" <us...@subversion.apache.org>
Sent: Tuesday, November 15, 2011 10:05 AM
Subject: RE: user access
[We normally bottom-post on this list to make it easier to read in order... See in-line below]
> > -----Original Message-----
> > From: j s [mailto:jbluedelta@yahoo.com]
> > Sent: 15 November 2011 13:29
> > To: users@subversion.apache.org
> > Subject: user access
> >
> > Have svn running on windows/apache and currently dev team
> > accesses svn repo's using http and tortoisesvn
> >
> > They access the repos using their domain credentials set up
> > in apache config.
> >
> > we now have a group of temps that we want to create a new
> > repo for and that they should only access that repo either by
> > using uname/pwd or via domain access.
> >
> > current set up
> >
> > [server name]\c:\svnrepo
> > \product1 ---->[dev accesses this using domain\uname&pwd]
> > \product2 ---->[dev accesses this using domain\uname&pwd]
> > \product3 ---->[dev accesses this using domain\uname&pwd]
> > \temprepo ---->[dev accesses this using domain\uname&pwd ||
> > the temp lackies access it using their uname and pwd only for
> > this repo]
> >
> >
> > Is this set up possible? how would i go about it?
> >
> > am open to changing access type based on best practise
> >
> ________________________________
>
> From: "Cooke, Mark" <ma...@siemens.com>
> To: j s <jb...@yahoo.com>; "users@subversion.apache.org"
> <us...@subversion.apache.org>
> Sent: Tuesday, November 15, 2011 8:51 AM
> Subject: RE: user access
>
> Take a read of the subversion book here:-
>
> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html
>
> ~ mark c
>
> -----Original Message-----
> From: j s [mailto:jbluedelta@yahoo.com]
> Sent: 15 November 2011 14:47
> To: Cooke, Mark; users@subversion.apache.org
> Subject: Re: user access
>
> Mark,
> Looked at the link you provided.
>
> In my apache/conf/httpd.conf file i have the following
...is this in a <Location> or <Directory> etc section?
> SSPIAuth On
> SSPIAuthoritative On
> SSPIDomain <domaincontroller>
> SSPIOmitDomain on
> SSPIUsernameCase lower
> SSPIPerRequestAuth on
> SSPIOfferBasic On
> AuthType SSPI
> AuthName "Subversion repositories"
> Require valid-user
> Require group "DOMAIN\companyname"
...using SSPI to _authenticate_ the user against Active Directory OK...
NB: also provides basic _authorisation_ by rejecting non-group users.
> DAV svn
> SVNListParentPath on
> SVNParentPath F:\SVN
...sets the path and enables subversion...
> #SVNIndexXSLT "/svnindex.xsl"
...you would use this to provide a nice view of the repository (TortoiseSVN has a section on this in their help file)...
> #AuthUserFile passwd
...this is for basic http authentication, you can delete this...
> #AuthzSVNAccessFile F:/SVN/auth.conf
...this is the line where you point svn to your file that controls authorisation (who can access what) but it is commented out?
> Unable to translate the link to sections in the
> apache/conf/httpd.conf file.
>
> appreciate any useful tips.
What exactly do you not understand? Is it the authz file contents (described on the page linked above) or the apache config?
~ mark c
Also, the following is part of <Location /SVN>
<Location /svn>
SSPIAuth On
SSPIAuthoritative On
SSPIDomain <domaincontroller>
SSPIOmitDomain on
SSPIUsernameCase lower
SSPIPerRequestAuth on
SSPIOfferBasic On
DAV svn
SVNListParentPath on
SVNParentPath F:\SVN
#SVNIndexXSLT "/svnindex.xsl"
AuthType SSPI
AuthName "Subversion repositories"
#AuthUserFile passwd
#AuthzSVNAccessFile F:/SVN/auth.conf
Require valid-user
Require group "DOMAIN\companyname"
</Location
RE: user access
Posted by "Cooke, Mark" <ma...@siemens.com>.
> > From: "Cooke, Mark" <ma...@siemens.com>
> > To: j s <jb...@yahoo.com>; "users@subversion.apache.org"
> > <us...@subversion.apache.org>
> > Sent: Tuesday, November 15, 2011 10:05 AM
> > Subject: RE: user access
> >
> > [We normally bottom-post on this list to make it easier to
> > read in order... See in-line below]
> >
> > > > -----Original Message-----
> > > > From: j s [mailto:jbluedelta@yahoo.com]
> > > > Sent: 15 November 2011 13:29
> > > > To: users@subversion.apache.org
> > > > Subject: user access
> > > >
> > > > Have svn running on windows/apache and currently dev team
> > > > accesses svn repo's using http and tortoisesvn
> > > >
> > > > They access the repos using their domain credentials set up
> > > > in apache config.
> > > >
> > > > we now have a group of temps that we want to create a new
> > > > repo for and that they should only access that repo either by
> > > > using uname/pwd or via domain access.
> > > >
> > > > current set up
> > > >
> > > > [server name]\c:\svnrepo
> > > > \product1 ---->[dev accesses this using domain\uname&pwd]
> > > > \product2 ---->[dev accesses this using domain\uname&pwd]
> > > > \product3 ---->[dev accesses this using domain\uname&pwd]
> > > > \temprepo ---->[dev accesses this using domain\uname&pwd ||
> > > > the temp lackies access it using their uname and pwd only for
> > > > this repo]
> > > >
> > > >
> > > > Is this set up possible? how would i go about it?
> > > >
> > > > am open to changing access type based on best practise
> > > >
> > > ________________________________
> > >
> > > From: "Cooke, Mark" <ma...@siemens.com>
> > > To: j s <jb...@yahoo.com>; "users@subversion.apache.org"
> > > <us...@subversion.apache.org>
> > > Sent: Tuesday, November 15, 2011 8:51 AM
> > > Subject: RE: user access
> > >
> > > Take a read of the subversion book here:-
> > >
> > >
> > http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathba
> > sedauthz.html
> > >
> > > ~ mark c
> > >
> > > -----Original Message-----
> > > From: j s [mailto:jbluedelta@yahoo.com]
> > > Sent: 15 November 2011 14:47
> > > To: Cooke, Mark; users@subversion.apache.org
> > > Subject: Re: user access
> > >
> > > Mark,
> > > Looked at the link you provided.
> > >
> > > In my apache/conf/httpd.conf file i have the following
> >
> > ...is this in a <Location> or <Directory> etc section?
> >
> > > SSPIAuth On
> > > SSPIAuthoritative On
> > > SSPIDomain <domaincontroller>
> > > SSPIOmitDomain on
> > > SSPIUsernameCase lower
> > > SSPIPerRequestAuth on
> > > SSPIOfferBasic On
> > > AuthType SSPI
> > > AuthName "Subversion repositories"
> > > Require valid-user
> > > Require group "DOMAIN\companyname"
> >
> > ...using SSPI to _authenticate_ the user against Active
> > Directory OK...
> > NB: also provides basic _authorisation_ by rejecting
> non-group users.
> >
> > > DAV svn
> > > SVNListParentPath on
> > > SVNParentPath F:\SVN
> >
> > ...sets the path and enables subversion...
> >
> > > #SVNIndexXSLT "/svnindex.xsl"
> >
> > ...you would use this to provide a nice view of the
> > repository (TortoiseSVN has a section on this in their help file)...
> >
> > > #AuthUserFile passwd
> >
> > ...this is for basic http authentication, you can delete this...
> >
> > > #AuthzSVNAccessFile F:/SVN/auth.conf
> >
> > ...this is the line where you point svn to your file that
> > controls authorisation (who can access what) but it is
> commented out?
> >
> >
> > > Unable to translate the link to sections in the
> > > apache/conf/httpd.conf file.
> > >
> > > appreciate any useful tips.
> >
> > What exactly do you not understand? Is it the authz file
> > contents (described on the page linked above) or the apache config?
> >
> > ~ mark c
> >
> > -----Original Message-----
> > From: j s [mailto:jbluedelta@yahoo.com]
> > Sent: 15 November 2011 15:25
> > To: Cooke, Mark; users@subversion.apache.org
> > Subject: Re: user access
> >
> > Dear Mark,
> > As you correctly pointed out, the following lines are commented out
> > #AuthzSVNAccessFile F:/SVN/auth.conf
> > Require valid-user
> > Require group "DOMAIN\companyname"
> >
> > This was initially set up to allow all developers access to
> > all repositories with F:\svn
> >
> > From the article you sent me, i now have to un-comment the line
> > #AuthzSVNAccessFile F:/SVN/auth.conf
> >
> > and use a auth.conf file and define the users
> >
> > [/product1]
> > mydomain\user1=rw
> > mydomain\user2=rw
> > mydomain\user3=rw
> >
> > [/product1]
> > mydomain\user1=rw
> > mydomain\user2=rw
> > mydomain\user3=rw
> > user4=r -------->where would i define this user name and pwd
> > as this is not being authenticated against the domain. do not
> > want to create a domain user account for this user.
> >
> > would this be the correct set up?
>
> The three lines:-
>
> > SSPIAuthoritative On
> > Require valid-user
> > Require group "DOMAIN\companyname"
>
> ...mean that they have to have a domain account! If you want
> to offern non-domain accounts then you need to configure
> apache to offer this (start here:
> http://httpd.apache.org/docs/2.2/howto/auth.html), turn off
> SSPIAuthoritative and add appropriate `require` directives.
>
> For the authz file, you can define groups of users to make
> the permissions sections easier to read. If you have lots of
> developers this could get tedious though!
>
> By the way, you are using https aren't you? Otherwise your
> SSPI usernames & passwords are being sent across your network
> in plain text...
>
> ~ mark c
>
> -----Original Message-----
> From: j s [mailto:jbluedelta@yahoo.com]
> Sent: 15 November 2011 17:02
> To: Cooke, Mark
> Cc: users@subversion.apache.org
> Subject: Re: user access
>
> Dear Mark,
> Am using http only. The svn cannot be accessed outside of our
> network so the network admin is not too worried.
>
> If we had all of of our users within the domain and they
> could only use domain credentials, i set the following in
> apache\conf\httpd.conf
> <Location /SVN>
> SSPIAuth On
> SSPIAuthoritative On
> SSPIDomain <domaincontroller>
> SSPIOmitDomain on
> SSPIUsernameCase lower
> SSPIPerRequestAuth on
> SSPIOfferBasic On
> DAV svn
> SVNListParentPath on
> SVNParentPath F:\SVN
> #SVNIndexXSLT "/svnindex.xsl"
> AuthType SSPI
> AuthName "Subversion repositories"
> #AuthUserFile passwd
> AuthzSVNAccessFile F:/SVN/auth.conf
> Require valid-user
> Require group "DOMAIN\COMPANYNAME"
> </Location>
>
> This is the following from F:/SVN/auth.conf
> [/]
> * = r
>
> [/Products1]
> COMPANYNAME\jdoe = rw
Using `SSPIOmitDomain on` should mean that this should be just 'jdoe = rw'. You should be able to check the apache logs to see what usename apache is getting from the sspi module.
Also, I suspect you need a colon in the section names. The bit(s) before the colon is the repo path (i.e. the repo folder below the parent path), the bit after is any further path restrictions within the repo itself. So I think for you it should be:
[Products1:/]
jdoe = rw
> [/TempRepo]
> COMPANYNAME\tempUser1 = rw
>
> Then restarted apache and trying to commit file using
> TortoiseSVN into products1 repo and I get this
>
> access to
> '/SVN/Products1/!svn/act/fb32b0b8-6258-744c-b926-a22b7972916f'
> forbidden
>
> I can view the repo using IE and my credentials.
That's confusing!
> Is there a setting/config that I missed?
~ mark c
Re: user access
Posted by j s <jb...@yahoo.com>.
________________________________
From: "Cooke, Mark" <ma...@siemens.com>
To: j s <jb...@yahoo.com>
Sent: Tuesday, November 15, 2011 10:36 AM
Subject: RE: user access
> From: "Cooke, Mark" <ma...@siemens.com>
> To: j s <jb...@yahoo.com>; "users@subversion.apache.org"
> <us...@subversion.apache.org>
> Sent: Tuesday, November 15, 2011 10:05 AM
> Subject: RE: user access
>
> [We normally bottom-post on this list to make it easier to
> read in order... See in-line below]
>
> > > -----Original Message-----
> > > From: j s [mailto:jbluedelta@yahoo.com]
> > > Sent: 15 November 2011 13:29
> > > To: users@subversion.apache.org
> > > Subject: user access
> > >
> > > Have svn running on windows/apache and currently dev team
> > > accesses svn repo's using http and tortoisesvn
> > >
> > > They access the repos using their domain credentials set up
> > > in apache config.
> > >
> > > we now have a group of temps that we want to create a new
> > > repo for and that they should only access that repo either by
> > > using uname/pwd or via domain access.
> > >
> > > current set up
> > >
> > > [server name]\c:\svnrepo
> > > \product1 ---->[dev accesses this using domain\uname&pwd]
> > > \product2 ---->[dev accesses this using domain\uname&pwd]
> > > \product3 ---->[dev accesses this using domain\uname&pwd]
> > > \temprepo ---->[dev accesses this using domain\uname&pwd ||
> > > the temp lackies access it using their uname and pwd only for
> > > this repo]
> > >
> > >
> > > Is this set up possible? how would i go about it?
> > >
> > > am open to changing access type based on best practise
> > >
> > ________________________________
> >
> > From: "Cooke, Mark" <ma...@siemens.com>
> > To: j s <jb...@yahoo.com>; "users@subversion.apache.org"
> > <us...@subversion.apache.org>
> > Sent: Tuesday, November 15, 2011 8:51 AM
> > Subject: RE: user access
> >
> > Take a read of the subversion book here:-
> >
> >
> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathba
> sedauthz.html
> >
> > ~ mark c
> >
> > -----Original Message-----
> > From: j s [mailto:jbluedelta@yahoo.com]
> > Sent: 15 November 2011 14:47
> > To: Cooke, Mark; users@subversion.apache.org
> > Subject: Re: user access
> >
> > Mark,
> > Looked at the link you provided.
> >
> > In my apache/conf/httpd.conf file i have the following
>
> ...is this in a <Location> or <Directory> etc section?
>
> > SSPIAuth On
> > SSPIAuthoritative On
> > SSPIDomain <domaincontroller>
> > SSPIOmitDomain on
> > SSPIUsernameCase lower
> > SSPIPerRequestAuth on
> > SSPIOfferBasic On
> > AuthType SSPI
> > AuthName "Subversion repositories"
> > Require valid-user
> > Require group "DOMAIN\companyname"
>
> ...using SSPI to _authenticate_ the user against Active
> Directory OK...
> NB: also provides basic _authorisation_ by rejecting non-group users.
>
> > DAV svn
> > SVNListParentPath on
> > SVNParentPath F:\SVN
>
> ...sets the path and enables subversion...
>
> > #SVNIndexXSLT "/svnindex.xsl"
>
> ...you would use this to provide a nice view of the
> repository (TortoiseSVN has a section on this in their help file)...
>
> > #AuthUserFile passwd
>
> ...this is for basic http authentication, you can delete this...
>
> > #AuthzSVNAccessFile F:/SVN/auth.conf
>
> ...this is the line where you point svn to your file that
> controls authorisation (who can access what) but it is commented out?
>
>
> > Unable to translate the link to sections in the
> > apache/conf/httpd.conf file.
> >
> > appreciate any useful tips.
>
> What exactly do you not understand? Is it the authz file
> contents (described on the page linked above) or the apache config?
>
> ~ mark c
>
> -----Original Message-----
> From: j s [mailto:jbluedelta@yahoo.com]
> Sent: 15 November 2011 15:25
> To: Cooke, Mark; users@subversion.apache.org
> Subject: Re: user access
>
> Dear Mark,
> As you correctly pointed out, the following lines are commented out
> #AuthzSVNAccessFile F:/SVN/auth.conf
> Require valid-user
> Require group "DOMAIN\companyname"
>
> This was initially set up to allow all developers access to
> all repositories with F:\svn
>
> From the article you sent me, i now have to un-comment the line
> #AuthzSVNAccessFile F:/SVN/auth.conf
>
> and use a auth.conf file and define the users
>
> [/product1]
> mydomain\user1=rw
> mydomain\user2=rw
> mydomain\user3=rw
>
> [/product1]
> mydomain\user1=rw
> mydomain\user2=rw
> mydomain\user3=rw
> user4=r -------->where would i define this user name and pwd
> as this is not being authenticated against the domain. do not
> want to create a domain user account for this user.
>
> would this be the correct set up?
The three lines:-
> SSPIAuthoritative On
> Require valid-user
> Require group "DOMAIN\companyname"
...mean that they have to have a domain account! If you want to offern non-domain accounts then you need to configure apache to offer this (start here: http://httpd.apache.org/docs/2.2/howto/auth.html), turn off SSPIAuthoritative and add appropriate `require` directives.
For the authz file, you can define groups of users to make the permissions sections easier to read. If you have lots of developers this could get tedious though!
By the way, you are using https aren't you? Otherwise your SSPI usernames & passwords are being sent across your network in plain text...
~ mark c
Dear Mark,
Am using http only. The svn cannot be accessed outside of our network so the network admin is not too worried.
If we had all of of our users within the domain and they could only use domain credentials, i set the following in apache\conf\httpd.conf
<Location /SVN>
SSPIAuth On
SSPIAuthoritative On
SSPIDomain <domaincontroller>
SSPIOmitDomain on
SSPIUsernameCase lower
SSPIPerRequestAuth on
SSPIOfferBasic On
DAV svn
SVNListParentPath on
SVNParentPath F:\SVN
#SVNIndexXSLT "/svnindex.xsl"
AuthType SSPI
AuthName "Subversion repositories"
#AuthUserFile passwd
AuthzSVNAccessFile F:/SVN/auth.conf
Require valid-user
Require group "DOMAIN\COMPANYNAME"
</Location>
This is the following from F:/SVN/auth.conf
[/]
* = r
[/Products1]
COMPANYNAME\jdoe = rw
[/TempRepo]
COMPANYNAME\tempUser1 = rw
Then restarted apache and trying to commit file using TortoiseSVN into products1 repo and I get this
access to '/SVN/Products1/!svn/act/fb32b0b8-6258-744c-b926-a22b7972916f' forbidden
I can view the repo using IE and my credentials.
Is there a setting/config that I missed?
Re: user access
Posted by j s <jb...@yahoo.com>.
________________________________
From: "Cooke, Mark" <ma...@siemens.com>
To: j s <jb...@yahoo.com>; "users@subversion.apache.org" <us...@subversion.apache.org>
Sent: Tuesday, November 15, 2011 10:05 AM
Subject: RE: user access
[We normally bottom-post on this list to make it easier to read in order... See in-line below]
> > -----Original Message-----
> > From: j s [mailto:jbluedelta@yahoo.com]
> > Sent: 15 November 2011 13:29
> > To: users@subversion.apache.org
> > Subject: user access
> >
> > Have svn running on windows/apache and currently dev team
> > accesses svn repo's using http and tortoisesvn
> >
> > They access the repos using their domain credentials set up
> > in apache config.
> >
> > we now have a group of temps that we want to create a new
> > repo for and that they should only access that repo either by
> > using uname/pwd or via domain access.
> >
> > current set up
> >
> > [server name]\c:\svnrepo
> > \product1 ---->[dev accesses this using domain\uname&pwd]
> > \product2 ---->[dev accesses this using domain\uname&pwd]
> > \product3 ---->[dev accesses this using domain\uname&pwd]
> > \temprepo ---->[dev accesses this using domain\uname&pwd ||
> > the temp lackies access it using their uname and pwd only for
> > this repo]
> >
> >
> > Is this set up possible? how would i go about it?
> >
> > am open to changing access type based on best practise
> >
> ________________________________
>
> From: "Cooke, Mark" <ma...@siemens.com>
> To: j s <jb...@yahoo.com>; "users@subversion.apache.org"
> <us...@subversion.apache.org>
> Sent: Tuesday, November 15, 2011 8:51 AM
> Subject: RE: user access
>
> Take a read of the subversion book here:-
>
> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html
>
> ~ mark c
>
> -----Original Message-----
> From: j s [mailto:jbluedelta@yahoo.com]
> Sent: 15 November 2011 14:47
> To: Cooke, Mark; users@subversion.apache.org
> Subject: Re: user access
>
> Mark,
> Looked at the link you provided.
>
> In my apache/conf/httpd.conf file i have the following
...is this in a <Location> or <Directory> etc section?
> SSPIAuth On
> SSPIAuthoritative On
> SSPIDomain <domaincontroller>
> SSPIOmitDomain on
> SSPIUsernameCase lower
> SSPIPerRequestAuth on
> SSPIOfferBasic On
> AuthType SSPI
> AuthName "Subversion repositories"
> Require valid-user
> Require group "DOMAIN\companyname"
...using SSPI to _authenticate_ the user against Active Directory OK...
NB: also provides basic _authorisation_ by rejecting non-group users.
> DAV svn
> SVNListParentPath on
> SVNParentPath F:\SVN
...sets the path and enables subversion...
> #SVNIndexXSLT "/svnindex.xsl"
...you would use this to provide a nice view of the repository (TortoiseSVN has a section on this in their help file)...
> #AuthUserFile passwd
...this is for basic http authentication, you can delete this...
> #AuthzSVNAccessFile F:/SVN/auth.conf
...this is the line where you point svn to your file that controls authorisation (who can access what) but it is commented out?
> Unable to translate the link to sections in the
> apache/conf/httpd.conf file.
>
> appreciate any useful tips.
What exactly do you not understand? Is it the authz file contents (described on the page linked above) or the apache config?
~ mark c
Dear Mark,
As you correctly pointed out, the following lines are commented out
#AuthzSVNAccessFile F:/SVN/auth.conf
Require valid-user
Require group "DOMAIN\companyname"
This was initially set up to allow all developers access to all repositories with F:\svn
From the article you sent me, i now have to un-comment the line
#AuthzSVNAccessFile F:/SVN/auth.conf
and use a auth.conf file and define the users
[/product1]
mydomain\user1=rw
mydomain\user2=rw
mydomain\user3=rw
[/product1]
mydomain\user1=rw
mydomain\user2=rw
mydomain\user3=rw
user4=r -------->where would i define this user name and pwd as this is not being authenticated against the domain. do not want to create a domain user account for this user.
would this be the correct set up?
RE: user access
Posted by "Cooke, Mark" <ma...@siemens.com>.
[We normally bottom-post on this list to make it easier to read in order... See in-line below]
> > -----Original Message-----
> > From: j s [mailto:jbluedelta@yahoo.com]
> > Sent: 15 November 2011 13:29
> > To: users@subversion.apache.org
> > Subject: user access
> >
> > Have svn running on windows/apache and currently dev team
> > accesses svn repo's using http and tortoisesvn
> >
> > They access the repos using their domain credentials set up
> > in apache config.
> >
> > we now have a group of temps that we want to create a new
> > repo for and that they should only access that repo either by
> > using uname/pwd or via domain access.
> >
> > current set up
> >
> > [server name]\c:\svnrepo
> > \product1 ---->[dev accesses this using domain\uname&pwd]
> > \product2 ---->[dev accesses this using domain\uname&pwd]
> > \product3 ---->[dev accesses this using domain\uname&pwd]
> > \temprepo ---->[dev accesses this using domain\uname&pwd ||
> > the temp lackies access it using their uname and pwd only for
> > this repo]
> >
> >
> > Is this set up possible? how would i go about it?
> >
> > am open to changing access type based on best practise
> >
> ________________________________
>
> From: "Cooke, Mark" <ma...@siemens.com>
> To: j s <jb...@yahoo.com>; "users@subversion.apache.org"
> <us...@subversion.apache.org>
> Sent: Tuesday, November 15, 2011 8:51 AM
> Subject: RE: user access
>
> Take a read of the subversion book here:-
>
> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html
>
> ~ mark c
>
> -----Original Message-----
> From: j s [mailto:jbluedelta@yahoo.com]
> Sent: 15 November 2011 14:47
> To: Cooke, Mark; users@subversion.apache.org
> Subject: Re: user access
>
> Mark,
> Looked at the link you provided.
>
> In my apache/conf/httpd.conf file i have the following
...is this in a <Location> or <Directory> etc section?
> SSPIAuth On
> SSPIAuthoritative On
> SSPIDomain <domaincontroller>
> SSPIOmitDomain on
> SSPIUsernameCase lower
> SSPIPerRequestAuth on
> SSPIOfferBasic On
> AuthType SSPI
> AuthName "Subversion repositories"
> Require valid-user
> Require group "DOMAIN\companyname"
...using SSPI to _authenticate_ the user against Active Directory OK...
NB: also provides basic _authorisation_ by rejecting non-group users.
> DAV svn
> SVNListParentPath on
> SVNParentPath F:\SVN
...sets the path and enables subversion...
> #SVNIndexXSLT "/svnindex.xsl"
...you would use this to provide a nice view of the repository (TortoiseSVN has a section on this in their help file)...
> #AuthUserFile passwd
...this is for basic http authentication, you can delete this...
> #AuthzSVNAccessFile F:/SVN/auth.conf
...this is the line where you point svn to your file that controls authorisation (who can access what) but it is commented out?
> Unable to translate the link to sections in the
> apache/conf/httpd.conf file.
>
> appreciate any useful tips.
What exactly do you not understand? Is it the authz file contents (described on the page linked above) or the apache config?
~ mark c
Re: user access
Posted by j s <jb...@yahoo.com>.
Mark,
Looked at the link you provided.
In my apache/conf/httpd.conf file i have the following
SSPIAuth On
SSPIAuthoritative On
SSPIDomain <domaincontroller>
SSPIOmitDomain on
SSPIUsernameCase lower
SSPIPerRequestAuth on
SSPIOfferBasic On
DAV svn
SVNListParentPath on
SVNParentPath F:\SVN
#SVNIndexXSLT "/svnindex.xsl"
AuthType SSPI
AuthName "Subversion repositories"
#AuthUserFile passwd
#AuthzSVNAccessFile F:/SVN/auth.conf
Require valid-user
Require group "DOMAIN\companyname"
Unable to translate the link to sections in the apache/conf/httpd.conf file.
appreciate any useful tips.
________________________________
From: "Cooke, Mark" <ma...@siemens.com>
To: j s <jb...@yahoo.com>; "users@subversion.apache.org" <us...@subversion.apache.org>
Sent: Tuesday, November 15, 2011 8:51 AM
Subject: RE: user access
> -----Original Message-----
> From: j s [mailto:jbluedelta@yahoo.com]
> Sent: 15 November 2011 13:29
> To: users@subversion.apache.org
> Subject: user access
>
> Have svn running on windows/apache and currently dev team
> accesses svn repo's using http and tortoisesvn
>
> They access the repos using their domain credentials set up
> in apache config.
>
> we now have a group of temps that we want to create a new
> repo for and that they should only access that repo either by
> using uname/pwd or via domain access.
>
> current set up
>
> [server name]\c:\svnrepo
> \product1 ---->[dev accesses this using domain\uname&pwd]
> \product2 ---->[dev accesses this using domain\uname&pwd]
> \product3 ---->[dev accesses this using domain\uname&pwd]
> \temprepo ---->[dev accesses this using domain\uname&pwd ||
> the temp lackies access it using their uname and pwd only for
> this repo]
>
>
> Is this set up possible? how would i go about it?
>
> am open to changing access type based on best practise
>
Take a read of the subversion book here:-
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html
~ mark c
RE: user access
Posted by "Cooke, Mark" <ma...@siemens.com>.
> -----Original Message-----
> From: j s [mailto:jbluedelta@yahoo.com]
> Sent: 15 November 2011 13:29
> To: users@subversion.apache.org
> Subject: user access
>
> Have svn running on windows/apache and currently dev team
> accesses svn repo's using http and tortoisesvn
>
> They access the repos using their domain credentials set up
> in apache config.
>
> we now have a group of temps that we want to create a new
> repo for and that they should only access that repo either by
> using uname/pwd or via domain access.
>
> current set up
>
> [server name]\c:\svnrepo
> \product1 ---->[dev accesses this using domain\uname&pwd]
> \product2 ---->[dev accesses this using domain\uname&pwd]
> \product3 ---->[dev accesses this using domain\uname&pwd]
> \temprepo ---->[dev accesses this using domain\uname&pwd ||
> the temp lackies access it using their uname and pwd only for
> this repo]
>
>
> Is this set up possible? how would i go about it?
>
> am open to changing access type based on best practise
>
Take a read of the subversion book here:-
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html
~ mark c