Re: Integrating authnz_ldap and authz_groupfile in mod_svn_authz

[Justin Erenkrantz <ju...@erenkrantz.com>]

On Mon, Apr 14, 2008 at 11:26 AM, Martin Bauer <ba...@gmx.de> wrote:
> As a Google SummerOfCode Project I'm planning to add new Auth-features to
>  mod_autz_svn.
>  Users should be able to use groups from other apache-moduls (like ldap and
>  groupfile) in the SVN-Auth File. So groups don't have to be defined twice.
>
>  I thought of adding a function like isUserInGroup(char* groupname) to the
>  relevant modules (mod_authz_groupfile and mod_authnz_ldap) which is called
>  from the authz_svn-module if there is an unknown group.
>
>  What do you thing of that idea?

I hope you explore the provider API - IOW, expose those functions via
providers and not static linkage.  =)  -- justin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Integrating authnz_ldap and authz_groupfile in mod_svn_authz

[Lieven Govaerts <sv...@mobsol.be>]

Martin Bauer wrote:
> You're right, its not a good idea to modify other apache-modules.
> 
> I've read a little in the code of the apache-modules and in the code of 
> svnserve, and I think
> it would be the best solution to write a new svn-auth-library which is used by 
> svnserve and apache. I know
> there are a lot such libs out there already (like pam or sasl) but non of them 
> supports authorization.
> So I planned to split this new library in two parts:
> One part would be responsible for authentication. I could gets its data from 
> svn-auth-files or from LDAP.
> Here it would also be possible to use existing auth-libraries like PAM. And 
> the actual source 
> can be selected by a statement in the svn-auth file. (If there's no statement 
> the svn-auth-file-source
> would be assumed, so it would be compatible with existing svn-auth files)
> 

Through SASL for svnserve and the authn modules for apache we already 
support authentication.
SASL also supports LDAP for authentication btw, although there seem to 
be issues on Windows:
http://svn.haxx.se/dev/archive-2008-02/0081.shtml

I don't think you need to worry about the authentication part, unless 
you see some clear gaps in the current functionality.

> The second part would be the authorization part. Here the data comes also from 
> the svn-auth file (or
> perhaps later on also from MySQL). This data describe which user has which 
> rights on specified paths in the repository.
Ok, this remains the same as we currently have? Or do you think we need 
changes in the way we describe access rules? Is fetching those rules 
from MySQL something you want to implement?

> At this position it would also be possible to introduce new access-rights.
Can you elaborate on this? What do you mean with 'new access-rights'?

> 
> This general svn-auth library would than be used by the apache-module and 
> svn-serve.

So you propose to write an authz library that includes an LDAP client, 
which can be used both from svnserve and mod_authz_svn right?

Ok, here I have a personal opinion that's probably different than our 
users. Personally I couldn't care less about having LDAP authz in 
svnserve. It's unfortunate that we have to take certain code which is 
already provided in apache modules in our codebase just because we want 
to support the feature in svnserve.

OTOH, it seems that in this case we can't directly use the apache 
modules due to a missing API - I didn't really check that yet - and 
other people probably like the idea of having ldap authz in svnserve.

> 
> Would do you think of that idea?
> 
Ok, keep on going :)

I'm interested in knowing what will be the scope of your plans. I mean, 
in terms of features? You referred to new access rights, storing access 
rules in mysql etc. Are this things you think of working on? Or are 
these options you expect might be useful and want to include in the API 
design of your library?

Lieven


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Integrating authnz_ldap and authz_groupfile in mod_svn_authz

[Manuel Vacelet <ma...@gmail.com>]

On Thu, Apr 24, 2008 at 7:48 PM, Martin Bauer <ba...@gmx.de> wrote:
> You're right, its not a good idea to modify other apache-modules.
>
>  I've read a little in the code of the apache-modules and in the code of
>  svnserve, and I think
>  it would be the best solution to write a new svn-auth-library which is used by
>  svnserve and apache. I know
>  there are a lot such libs out there already (like pam or sasl) but non of them
>  supports authorization.
>  So I planned to split this new library in two parts:
>  One part would be responsible for authentication. I could gets its data from
>  svn-auth-files or from LDAP.
>  Here it would also be possible to use existing auth-libraries like PAM. And
>  the actual source
>  can be selected by a statement in the svn-auth file. (If there's no statement
>  the svn-auth-file-source
>  would be assumed, so it would be compatible with existing svn-auth files)
>
>  The second part would be the authorization part. Here the data comes also from
>  the svn-auth file (or
>  perhaps later on also from MySQL). This data describe which user has which
>  rights on specified paths in the repository.
>  At this position it would also be possible to introduce new access-rights.
>
>  This general svn-auth library would than be used by the apache-module and
>  svn-serve.
>
>  Would do you think of that idea?

Hello Martin,

It's great to see that subversion will better support authorization.
Some LDAP servers can be used to store authorization it could be
interesting to be able to use them.
Anyhow, SQL storage is just fine too.

Hope this helps
-- Manuel

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Integrating authnz_ldap and authz_groupfile in mod_svn_authz

[Martin Bauer <ba...@gmx.de>]

You're right, its not a good idea to modify other apache-modules.

I've read a little in the code of the apache-modules and in the code of 
svnserve, and I think
it would be the best solution to write a new svn-auth-library which is used by 
svnserve and apache. I know
there are a lot such libs out there already (like pam or sasl) but non of them 
supports authorization.
So I planned to split this new library in two parts:
One part would be responsible for authentication. I could gets its data from 
svn-auth-files or from LDAP.
Here it would also be possible to use existing auth-libraries like PAM. And 
the actual source 
can be selected by a statement in the svn-auth file. (If there's no statement 
the svn-auth-file-source
would be assumed, so it would be compatible with existing svn-auth files)

The second part would be the authorization part. Here the data comes also from 
the svn-auth file (or
perhaps later on also from MySQL). This data describe which user has which 
rights on specified paths in the repository.
At this position it would also be possible to introduce new access-rights.

This general svn-auth library would than be used by the apache-module and 
svn-serve.

Would do you think of that idea?


Am Mittwoch, 23. April 2008 01:59:35 schrieben Sie:
> On Mon, Apr 14, 2008 at 11:26 AM, Martin Bauer <ba...@gmx.de> wrote:
> > As a Google SummerOfCode Project I'm planning to add new Auth-features to
> >  mod_autz_svn.
> >  Users should be able to use groups from other apache-moduls (like ldap
> > and groupfile) in the SVN-Auth File. So groups don't have to be defined
> > twice.
> >
> >  I thought of adding a function like isUserInGroup(char* groupname) to
> > the relevant modules (mod_authz_groupfile and mod_authnz_ldap) which is
> > called from the authz_svn-module if there is an unknown group.
> >
> >  What do you thing of that idea?
>
> I hope you explore the provider API - IOW, expose those functions via
> providers and not static linkage.  =)  -- justin



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org