You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by "Tati, Aslesh : Barclaycard US" <at...@barclaycardus.com> on 2013/09/17 17:26:30 UTC

Path based authorization using LDAP groups

I'm trying to setup a path based authorization using different LDAP groups.

Developers should be able to see all repositories and commit to all repos (the corresponding LDAP group is subversion_developers)

Business users should be able to see all repositories but only commit to specific assigned repo (corresponding LDAP group is subversion_bususers)

There is another LDAP group which is subversion_readonly which is intended to give read only access to all repos.

My httpd.conf looks something like this:

RedirectMatch ^(/svn)$ $1/
<Location /repos>
   DAV svn
   SVNParentPath "/local/data/svn/svntestrepos"
   SVNReposName "CollabNet Subversion Repository"
   BrowserMatch  "^SVN/1.[456]" denyclient
   order allow,deny
   allow from all
   deny from env=denyclient
   SVNListParentPath On
   Allow from all
   AuthType Basic
   AuthName "CollabNet Subversion Repository"
   AuthBasicProvider  ldap
  AuthLDAPUrl "ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*" "NONE"
   AuthLDAPBindDN "svn_user"
   AuthLDAPBindPassword "password"
  <LimitExcept OPTIONS GET PROPFIND REPORT>
   require ldap-group CN= subversion_readonly,OU=abc Access Groups,DC=abc,DC=com
  </LimitExcept>
   require ldap-group CN= subversion_developers,OU=abc Access Groups,DC=abc,DC=com
</Location>

<Location /repos/business>
   DAV svn
   SVNPath "/local/data/svn/svntestrepos/business"
   SVNReposName "CollabNet Business users Subversion Repository"
   BrowserMatch  "^SVN/1.[456]" denyclient
   order allow,deny
   allow from all
   deny from env=denyclient
   Allow from all
   AuthType Basic
   AuthName "CollabNet Business Users Subversion Repository"
   AuthBasicProvider  ldap
   AuthLDAPUrl "ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*" "NONE"
   AuthLDAPBindDN "svn_user"
   AuthLDAPBindPassword "password"
  <LimitExcept OPTIONS GET PROPFIND REPORT>
   require ldap-group CN= subversion_readonly,OU=abc Access Groups,DC=abc,DC=com
  </LimitExcept>
   require ldap-group CN= subversion_bususers,OU=abc Access Groups,DC=abc,DC=com
</Location>

I'm able to access all repos except the business repo with this setting and when I try to commit something I get an error saying "Redirect cycle detected for URL"

Does this have something to do with the line RedirectMatch ^(/svn)$ $1/ ? I'm pretty much a novice at apache configuration, so forgive my ignorance.

Any help is appreciated, Thank you.



Barclaycard
www.barclaycardus.com 

This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.

Re: Path based authorization using LDAP groups

Posted by Logica Ex Machina <le...@pobox.com>.

On 13-09-17 11:26 AM, Tati, Aslesh : Barclaycard US wrote:
> I’m trying to setup a path based authorization using different LDAP groups.
>
> Developers should be able to see all repositories and commit to all
> repos (the corresponding LDAP group is subversion_developers)
>
> Business users should be able to see all repositories but only commit to
> specific assigned repo (corresponding LDAP group is subversion_bususers)
>
> There is another LDAP group which is subversion_readonly which is
> intended to give read only access to all repos.
>
> My httpd.conf looks something like this:
>
> RedirectMatch ^(/svn)$ $1/
>
> <Location /repos>
>
>     DAV svn
>
>     SVNParentPath "/local/data/svn/svntestrepos"
>
>     SVNReposName "CollabNet Subversion Repository"
>
>     BrowserMatch  "^SVN/1.[456]" denyclient
>
>     order allow,deny
>
>     allow from all
>
>     deny from env=denyclient
>
>     SVNListParentPath On
>
>     Allow from all
>
>     AuthType Basic
>
>     AuthName "CollabNet Subversion Repository"
>
>     AuthBasicProvider  ldap
>
>    AuthLDAPUrl
> "ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*" "NONE"
>
>     AuthLDAPBindDN "svn_user"
>
>     AuthLDAPBindPassword "password"
>
>    <LimitExcept OPTIONS GET PROPFIND REPORT>
>
>     require ldap-group CN= subversion_readonly,OU=abc Access
> Groups,DC=abc,DC=com
>
>    </LimitExcept>
>
>     require ldap-group CN= subversion_developers,OU=abc Access
> Groups,DC=abc,DC=com
>
> </Location>
>
> <Location /repos/business>
>
>     DAV svn
>
>     SVNPath "/local/data/svn/svntestrepos/business"
>
>     SVNReposName "CollabNet Business users Subversion Repository"
>
>     BrowserMatch  "^SVN/1.[456]" denyclient
>
>     order allow,deny
>
>     allow from all
>
>     deny from env=denyclient
>
>     Allow from all
>
>     AuthType Basic
>
>     AuthName "CollabNet Business Users Subversion Repository"
>
>     AuthBasicProvider  ldap
>
>     AuthLDAPUrl
> "ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*" "NONE"
>
>     AuthLDAPBindDN "svn_user"
>
>     AuthLDAPBindPassword "password"
>
>    <LimitExcept OPTIONS GET PROPFIND REPORT>
>
>     require ldap-group CN= subversion_readonly,OU=abc Access
> Groups,DC=abc,DC=com
>
>    </LimitExcept>
>
>     require ldap-group CN= subversion_bususers,OU=abc Access
> Groups,DC=abc,DC=com
>
> </Location>
>
> I’m able to access all repos except the business repo with this setting
> and when I try to commit something I get an error saying “Redirect cycle
> detected for URL”
>
> Does this have something to do with the line RedirectMatch ^(/svn)$ $1/
> ? I’m pretty much a novice at apache configuration, so forgive my ignorance.
>
> Any help is appreciated, Thank you.
>
>
> Barclaycard
>
> www.barclaycardus.com <http://www.barclaycardus.com>
>
> This email and any files transmitted with it may contain confidential
> and/or proprietary information. It is intended solely for the use of the
> individual or entity who is the intended recipient. Unauthorized use of
> this information is prohibited. If you have received this in error,
> please contact the sender by replying to this message and delete this
> material from any system it may be on.
>

RedirectMatch tells the requesting tool to try again at the new address, 
which means it returns a response code and tells the client to try again 
at the new address.

In your case, ^(/svn)$ $1/ says "Match ONLY /svn" and then "Redirect to 
"/svn/", which probably is getting sent back into the RedirectMatch. 
Http:/httpd.apache.org/docs/2.2/mod_alias.html has the relevant 
information.  If you want to redirect any URLS that look like 
"www.example.com/svn/business" to "www.example.com/respos/business", you 
would need something like the following:

RedirectMatch ^/svn/(*.) /repos/$1


Is there a reason you are doing URL redirection, though?  You can 
probably just set the Location directives to be /svn and /svn/business 
directly and not deal with redirects or rewrites at all.  If you really 
are looking at doing URL modifications, you might be better served with 
mod_rewrite.

Robert