adding LDAP access to existing svn+ssh access

[Ted Stern <do...@gmail.com>]

Hi all,

I have set up a subversion repository according the svn+ssh "single
account" recommendation:

     http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshtricks

I have a single account, "svnuser", on a specific host, "svnhost".

I have a script for a user to run which assists them in generating an
ssh rsa keypair.  Then they convey the public key to me and I install
it in svn@svnhost:.ssh/authorized_keys so that svnserve is run with
the correct repository location and user name.

I also have a post-commit hook set up that will automatically update
several working copy locations when particular directories are checked
in.  The svnuser account has rsa keypair ssh access into a similar
account on remote working copy hosts.

This works great for a small number of users, but now I need to scale
up to several hundred people accessing the repository, and setting up
keys for svn+ssh is too much administration.

I have a basic idea on how to get WebDAV+LDAP working, but I would
like to ensure that the post-commit hook script is run as svnuser and
not apache.

At the same time, I want to preserve the svn+ssh access setup I have
now to avoid hassles for current users.

I don't see a way to make these two access modes coexist.  Is it
possible?

One thing I'm thinking of is allowing commits only via svn+ssh, and
make the WebDAV/LDAP access read-only.

Ted
-- 
 Frango ut patefaciam -- I break so that I may reveal

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2417740

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

RE: adding LDAP access to existing svn+ssh access

[Johan Corveleyn <jo...@uz.kuleuven.ac.be>]

> Van: Ted Stern [mailto:dodecatheon@gmail.com]
> 
> I have a basic idea on how to get WebDAV+LDAP working, but I would
> like to ensure that the post-commit hook script is run as svnuser and
> not apache.

The only way this would happen is if your Apache is run as user svnuser. If you use svn with apache, the post-commit hooks are executed by the account that is running Apache. Note that you can specify a user/group in Apache's config (provided that you start it as root):

Quoting from httpd.conf:
[[[
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User svnuser
Group somegroup
]]]

> 
> At the same time, I want to preserve the svn+ssh access setup I have
> now to avoid hassles for current users.
> 
> I don't see a way to make these two access modes coexist.  Is it
> possible?

This is possible, even if they run with different accounts. Some caveats are listed in the book:
http://svnbook.red-bean.com/en/1.5/svn.serverconfig.multimethod.html

Regards,
Johan

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2417780

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].