You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Craig Pendleton <cr...@healthlanguage.com> on 2009/10/12 21:57:38 UTC
Limiting access to a particular repository subdirectory
We are currently running Subversion 1.4 through Apache 2.2, authenticating
our users via LDAP and a ³Require valid-user² parameter. This has been
working fine for us. We are bringing in a third party who will only be
working several levels deep in the repository and would like to restrict
their access to these subdirectories only. We would like to use LDAP
groups to accomplish this. Basically what we are looking for is the
following:
/repository/foo (read, write by A, B LDAP groups; no read or write for C
group )
/repository/foo/bar (read, write by A, B, C LDAP groups)
I¹ve tried multiple <Location> directives (with different ³Require
ldap-filter² parameters) into different parts of the same repository, with
no success. ³Require ldap-group² will not work for us as it seems to only
accept one group as argument.
Is this possible? If so, can someone point me in the right direction?
Thank you in advance.
Craig
----
NOTICE BY HEALTH LANGUAGE, INC.
This message, as well as any attached document, contains information from Health Language, Inc. that is confidential. The information is intended only for the use of the addressee named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this message or its attachments is strictly prohibited, and may be unlawful. If you have received this message in error, please delete all electronic copies of this message and its attachments, if any, destroy any hard copies you may have created, without disclosing the contents, and notify the sender immediately. Unless expressly stated otherwise, nothing contained in this message should be construed as a digital or electronic signature, nor is it intended to reflect an intention to make an agreement by electronic means.
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2406814
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: Limiting access to a particular repository subdirectory
Posted by Craig Pendleton <cr...@healthlanguage.com>.
All,
Thank you the suggestions on this issue. For those with a similar setup,
we ended up using path-based authorization in conjunction with Jeremy
Whitlock's LDAP Authz script (http://www.thoughtspark.org/node/26), which is
working perfectly.
Craig
On 10/12/09 10:17 PM, "Srilakshmanan, Lakshman"
<la...@police.vic.gov.au> wrote:
> Hi Craig,
>
> The only other method I can think of is to use a pre-commit hook.
>
> Hope this helps.
>
> Thanks
> Lakshman
> -----Original Message-----
> From: Andrey Repin [mailto:anrdaemon@freemail.ru]
> Sent: Tuesday, 13 October 2009 1:12 PM
> To: Craig Pendleton; users@subversion.tigris.org
> Subject: Re: Limiting access to a particular repository subdirectory
>
> Greetings, Craig Pendleton!
>
>>>> We are currently running Subversion 1.4 through Apache 2.2,
> authenticating
>>>> our users via LDAP and a ?Require valid-user? parameter. This has
> been
>>>> working fine for us. We are bringing in a third party who will
> only be
>>>> working several levels deep in the repository and would like to
> restrict
>>>> their access to these subdirectories only. We would like to use
> LDAP
>>>> groups to accomplish this. Basically what we are looking for is
> the
>>>> following:
>>>>
>>>> /repository/foo (read, write by A, B LDAP groups; no read or
> write for C
>>>> group )
>>>> /repository/foo/bar (read, write by A, B, C LDAP groups)
>>>>
>>>> I?ve tried multiple <Location> directives (with different ?Require
>>>> ldap-filter? parameters) into different parts of the same
>>>> repository, with no success. ?Require ldap-group? will not work for
>
>>>> us as it seems to only accept one group as argument.
>>>>
>>>> Is this possible? If so, can someone point me in the right
> direction?
>>>> Thank you in advance.
>
>>> Have you considered Path-Based Authorization
>>>
>>> http://svnbook.red-bean.com/en/1.4/svn.serverconfig.pathbasedauthz.ht
>>> ml
>
>> Hi Lakshman,
>
>> Thank you for the suggestion and the quick reply. Path-based
> authorization
>> would be ideal, but my understanding is that this requires a flat file
>
>> containing path, user and/or group details and cannot query group
> membership
>> from LDAP. Can path-based authorization leverage LDAP groups? I
> didn?t
>> find any documentation indicating that it can, so I?m looking for
>> alternatives.
>
>> Suggestions greatly appreciated.
>
----
NOTICE BY HEALTH LANGUAGE, INC.
This message, as well as any attached document, contains information from Health Language, Inc. that is confidential. The information is intended only for the use of the addressee named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this message or its attachments is strictly prohibited, and may be unlawful. If you have received this message in error, please delete all electronic copies of this message and its attachments, if any, destroy any hard copies you may have created, without disclosing the contents, and notify the sender immediately. Unless expressly stated otherwise, nothing contained in this message should be construed as a digital or electronic signature, nor is it intended to reflect an intention to make an agreement by electronic means.
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2407212
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
RE: Limiting access to a particular repository subdirectory
Posted by "Srilakshmanan, Lakshman" <la...@police.vic.gov.au>.
Hi Craig,
The only other method I can think of is to use a pre-commit hook.
Hope this helps.
Thanks
Lakshman
-----Original Message-----
From: Andrey Repin [mailto:anrdaemon@freemail.ru]
Sent: Tuesday, 13 October 2009 1:12 PM
To: Craig Pendleton; users@subversion.tigris.org
Subject: Re: Limiting access to a particular repository subdirectory
Greetings, Craig Pendleton!
>>> We are currently running Subversion 1.4 through Apache 2.2,
authenticating
>>> our users via LDAP and a ?Require valid-user? parameter. This has
been
>>> working fine for us. We are bringing in a third party who will
only be
>>> working several levels deep in the repository and would like to
restrict
>>> their access to these subdirectories only. We would like to use
LDAP
>>> groups to accomplish this. Basically what we are looking for is
the
>>> following:
>>>
>>> /repository/foo (read, write by A, B LDAP groups; no read or
write for C
>>> group )
>>> /repository/foo/bar (read, write by A, B, C LDAP groups)
>>>
>>> I?ve tried multiple <Location> directives (with different ?Require
>>> ldap-filter? parameters) into different parts of the same
>>> repository, with no success. ?Require ldap-group? will not work for
>>> us as it seems to only accept one group as argument.
>>>
>>> Is this possible? If so, can someone point me in the right
direction?
>>> Thank you in advance.
>> Have you considered Path-Based Authorization
>>
>> http://svnbook.red-bean.com/en/1.4/svn.serverconfig.pathbasedauthz.ht
>> ml
> Hi Lakshman,
> Thank you for the suggestion and the quick reply. Path-based
authorization
> would be ideal, but my understanding is that this requires a flat file
> containing path, user and/or group details and cannot query group
membership
> from LDAP. Can path-based authorization leverage LDAP groups? I
didn?t
> find any documentation indicating that it can, so I?m looking for
> alternatives.
> Suggestions greatly appreciated.
I suggest you upgrade your ancient server software and read appropriate
documentation.
http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.pa
thbasedauthz
(Same for 1.5
http://svnbook.red-bean.com/en/1.5/svn-book.html#svn.serverconfig.pathba
sedauthz
)
--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 13.10.2009, <6:07>
Sorry for my terrible english...
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageI
d=2406889
To unsubscribe from this discussion, e-mail:
[users-unsubscribe@subversion.tigris.org].
================================================================================================
EMAIL DISCLAIMER
This email and any attachments are confidential. They may also be subject to copyright.
If you are not an intended recipient of this email please immediately contact us by replying
to this email and then delete this email.
You must not read, use, copy, retain, forward or disclose this email or any attachment.
We do not accept any liability arising from or in connection with unauthorised use or disclosure
of the information contained in this email or any attachment.
We make reasonable efforts to protect against computer viruses but we do not accept liability
for any liability, loss or damage caused by any computer virus contained in this email.
================================================================================================
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2406927
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: Limiting access to a particular repository subdirectory
Posted by Andrey Repin <an...@freemail.ru>.
Greetings, Craig Pendleton!
>>> We are currently running Subversion 1.4 through Apache 2.2, authenticating
>>> our users via LDAP and a ?Require valid-user? parameter. This has been
>>> working fine for us. We are bringing in a third party who will only be
>>> working several levels deep in the repository and would like to restrict
>>> their access to these subdirectories only. We would like to use LDAP
>>> groups to accomplish this. Basically what we are looking for is the
>>> following:
>>>
>>> /repository/foo (read, write by A, B LDAP groups; no read or write for C
>>> group )
>>> /repository/foo/bar (read, write by A, B, C LDAP groups)
>>>
>>> I?ve tried multiple <Location> directives (with different ?Require
>>> ldap-filter? parameters) into different parts of the same repository, with no
>>> success. ?Require ldap-group? will not work for us as it seems to only accept
>>> one group as argument.
>>>
>>> Is this possible? If so, can someone point me in the right direction?
>>> Thank you in advance.
>> Have you considered Path-Based Authorization
>>
>> http://svnbook.red-bean.com/en/1.4/svn.serverconfig.pathbasedauthz.html
> Hi Lakshman,
> Thank you for the suggestion and the quick reply. Path-based authorization
> would be ideal, but my understanding is that this requires a flat file
> containing path, user and/or group details and cannot query group membership
> from LDAP. Can path-based authorization leverage LDAP groups? I didn?t
> find any documentation indicating that it can, so I?m looking for
> alternatives.
> Suggestions greatly appreciated.
I suggest you upgrade your ancient server software and read appropriate
documentation.
http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.pathbasedauthz
(Same for 1.5
http://svnbook.red-bean.com/en/1.5/svn-book.html#svn.serverconfig.pathbasedauthz
)
--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 13.10.2009, <6:07>
Sorry for my terrible english...
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2406889
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: Limiting access to a particular repository subdirectory
Posted by Craig Pendleton <cr...@healthlanguage.com>.
On 10/12/09 5:47 PM, "Srilakshmanan, Lakshman"
<la...@police.vic.gov.au> wrote:
> Hi Craig,
>
> Have you considered Path-Based Authorization
>
> http://svnbook.red-bean.com/en/1.4/svn.serverconfig.pathbasedauthz.html
>
> Thanks
> Lakshman
> -----Original Message-----
> From: Craig Pendleton [mailto:craig.pendleton@healthlanguage.com]
> Sent: Tuesday, 13 October 2009 8:58 AM
> To: users@subversion.tigris.org
> Subject: Limiting access to a particular repository subdirectory
>
> We are currently running Subversion 1.4 through Apache 2.2, authenticating
> our users via LDAP and a ³Require valid-user² parameter. This has been
> working fine for us. We are bringing in a third party who will only be
> working several levels deep in the repository and would like to restrict
> their access to these subdirectories only. We would like to use LDAP
> groups to accomplish this. Basically what we are looking for is the
> following:
>
> /repository/foo (read, write by A, B LDAP groups; no read or write for C
> group )
> /repository/foo/bar (read, write by A, B, C LDAP groups)
>
> I¹ve tried multiple <Location> directives (with different ³Require
> ldap-filter² parameters) into different parts of the same repository, with no
> success. ³Require ldap-group² will not work for us as it seems to only accept
> one group as argument.
>
> Is this possible? If so, can someone point me in the right direction?
> Thank you in advance.
>
>
> Craig
>
Hi Lakshman,
Thank you for the suggestion and the quick reply. Path-based authorization
would be ideal, but my understanding is that this requires a flat file
containing path, user and/or group details and cannot query group membership
from LDAP. Can path-based authorization leverage LDAP groups? I didn¹t
find any documentation indicating that it can, so I¹m looking for
alternatives.
Suggestions greatly appreciated.
Craig
----
NOTICE BY HEALTH LANGUAGE, INC.
This message, as well as any attached document, contains information from Health Language, Inc. that is confidential. The information is intended only for the use of the addressee named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this message or its attachments is strictly prohibited, and may be unlawful. If you have received this message in error, please delete all electronic copies of this message and its attachments, if any, destroy any hard copies you may have created, without disclosing the contents, and notify the sender immediately. Unless expressly stated otherwise, nothing contained in this message should be construed as a digital or electronic signature, nor is it intended to reflect an intention to make an agreement by electronic means.
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2406878
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
RE: Limiting access to a particular repository subdirectory
Posted by "Srilakshmanan, Lakshman" <la...@police.vic.gov.au>.
Hi Craig,
Have you considered Path-Based Authorization
http://svnbook.red-bean.com/en/1.4/svn.serverconfig.pathbasedauthz.html
Thanks
Lakshman
-----Original Message-----
From: Craig Pendleton [mailto:craig.pendleton@healthlanguage.com]
Sent: Tuesday, 13 October 2009 8:58 AM
To: users@subversion.tigris.org
Subject: Limiting access to a particular repository subdirectory
We are currently running Subversion 1.4 through Apache 2.2, authenticating
our users via LDAP and a ³Require valid-user² parameter. This has been
working fine for us. We are bringing in a third party who will only be
working several levels deep in the repository and would like to restrict
their access to these subdirectories only. We would like to use LDAP
groups to accomplish this. Basically what we are looking for is the
following:
/repository/foo (read, write by A, B LDAP groups; no read or write for C
group )
/repository/foo/bar (read, write by A, B, C LDAP groups)
I¹ve tried multiple <Location> directives (with different ³Require ldap-filter² parameters) into different parts of the same repository, with no success. ³Require ldap-group² will not work for us as it seems to only accept one group as argument.
Is this possible? If so, can someone point me in the right direction?
Thank you in advance.
Craig
----
NOTICE BY HEALTH LANGUAGE, INC.
This message, as well as any attached document, contains information from Health Language, Inc. that is confidential. The information is intended only for the use of the addressee named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this message or its attachments is strictly prohibited, and may be unlawful. If you have received this message in error, please delete all electronic copies of this message and its attachments, if any, destroy any hard copies you may have created, without disclosing the contents, and notify the sender immediately. Unless expressly stated otherwise, nothing contained in this message should be construed as a digital or electronic signature, nor is it intended to reflect an intention to make an agreement by electronic means.
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2406814
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
================================================================================================
EMAIL DISCLAIMER
This email and any attachments are confidential. They may also be subject to copyright.
If you are not an intended recipient of this email please immediately contact us by replying
to this email and then delete this email.
You must not read, use, copy, retain, forward or disclose this email or any attachment.
We do not accept any liability arising from or in connection with unauthorised use or disclosure
of the information contained in this email or any attachment.
We make reasonable efforts to protect against computer viruses but we do not accept liability
for any liability, loss or damage caused by any computer virus contained in this email.
================================================================================================
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2406848
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].