You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Ted Stern <do...@gmail.com> on 2009/11/13 20:35:19 UTC
adding LDAP access to existing svn+ssh access
Hi all,
I have set up a subversion repository according the svn+ssh "single
account" recommendation:
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshtricks
I have a single account, "svnuser", on a specific host, "svnhost".
I have a script for a user to run which assists them in generating an
ssh rsa keypair. Then they convey the public key to me and I install
it in svn@svnhost:.ssh/authorized_keys so that svnserve is run with
the correct repository location and user name.
I also have a post-commit hook set up that will automatically update
several working copy locations when particular directories are checked
in. The svnuser account has rsa keypair ssh access into a similar
account on remote working copy hosts.
This works great for a small number of users, but now I need to scale
up to several hundred people accessing the repository, and setting up
keys for svn+ssh is too much administration.
I have a basic idea on how to get WebDAV+LDAP working, but I would
like to ensure that the post-commit hook script is run as svnuser and
not apache.
At the same time, I want to preserve the svn+ssh access setup I have
now to avoid hassles for current users.
I don't see a way to make these two access modes coexist. Is it
possible?
One thing I'm thinking of is allowing commits only via svn+ssh, and
make the WebDAV/LDAP access read-only.
Ted
--
Frango ut patefaciam -- I break so that I may reveal
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2417740
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
RE: adding LDAP access to existing svn+ssh access
Posted by Johan Corveleyn <jo...@uz.kuleuven.ac.be>.
> Van: Ted Stern [mailto:dodecatheon@gmail.com]
>
> I have a basic idea on how to get WebDAV+LDAP working, but I would
> like to ensure that the post-commit hook script is run as svnuser and
> not apache.
The only way this would happen is if your Apache is run as user svnuser. If you use svn with apache, the post-commit hooks are executed by the account that is running Apache. Note that you can specify a user/group in Apache's config (provided that you start it as root):
Quoting from httpd.conf:
[[[
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User svnuser
Group somegroup
]]]
>
> At the same time, I want to preserve the svn+ssh access setup I have
> now to avoid hassles for current users.
>
> I don't see a way to make these two access modes coexist. Is it
> possible?
This is possible, even if they run with different accounts. Some caveats are listed in the book:
http://svnbook.red-bean.com/en/1.5/svn.serverconfig.multimethod.html
Regards,
Johan
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2417780
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].