You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "Tati, Aslesh : Barclaycard US" <at...@barclaycardus.com> on 2013/09/17 17:26:30 UTC
Path based authorization using LDAP groups
I'm trying to setup a path based authorization using different LDAP groups.
Developers should be able to see all repositories and commit to all repos (the corresponding LDAP group is subversion_developers)
Business users should be able to see all repositories but only commit to specific assigned repo (corresponding LDAP group is subversion_bususers)
There is another LDAP group which is subversion_readonly which is intended to give read only access to all repos.
My httpd.conf looks something like this:
RedirectMatch ^(/svn)$ $1/
<Location /repos>
DAV svn
SVNParentPath "/local/data/svn/svntestrepos"
SVNReposName "CollabNet Subversion Repository"
BrowserMatch "^SVN/1.[456]" denyclient
order allow,deny
allow from all
deny from env=denyclient
SVNListParentPath On
Allow from all
AuthType Basic
AuthName "CollabNet Subversion Repository"
AuthBasicProvider ldap
AuthLDAPUrl "ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*" "NONE"
AuthLDAPBindDN "svn_user"
AuthLDAPBindPassword "password"
<LimitExcept OPTIONS GET PROPFIND REPORT>
require ldap-group CN= subversion_readonly,OU=abc Access Groups,DC=abc,DC=com
</LimitExcept>
require ldap-group CN= subversion_developers,OU=abc Access Groups,DC=abc,DC=com
</Location>
<Location /repos/business>
DAV svn
SVNPath "/local/data/svn/svntestrepos/business"
SVNReposName "CollabNet Business users Subversion Repository"
BrowserMatch "^SVN/1.[456]" denyclient
order allow,deny
allow from all
deny from env=denyclient
Allow from all
AuthType Basic
AuthName "CollabNet Business Users Subversion Repository"
AuthBasicProvider ldap
AuthLDAPUrl "ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*" "NONE"
AuthLDAPBindDN "svn_user"
AuthLDAPBindPassword "password"
<LimitExcept OPTIONS GET PROPFIND REPORT>
require ldap-group CN= subversion_readonly,OU=abc Access Groups,DC=abc,DC=com
</LimitExcept>
require ldap-group CN= subversion_bususers,OU=abc Access Groups,DC=abc,DC=com
</Location>
I'm able to access all repos except the business repo with this setting and when I try to commit something I get an error saying "Redirect cycle detected for URL"
Does this have something to do with the line RedirectMatch ^(/svn)$ $1/ ? I'm pretty much a novice at apache configuration, so forgive my ignorance.
Any help is appreciated, Thank you.
Barclaycard
www.barclaycardus.com
This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.
Re: Path based authorization using LDAP groups
Posted by Logica Ex Machina <le...@pobox.com>.
On 13-09-17 11:26 AM, Tati, Aslesh : Barclaycard US wrote:
> I’m trying to setup a path based authorization using different LDAP groups.
>
> Developers should be able to see all repositories and commit to all
> repos (the corresponding LDAP group is subversion_developers)
>
> Business users should be able to see all repositories but only commit to
> specific assigned repo (corresponding LDAP group is subversion_bususers)
>
> There is another LDAP group which is subversion_readonly which is
> intended to give read only access to all repos.
>
> My httpd.conf looks something like this:
>
> RedirectMatch ^(/svn)$ $1/
>
> <Location /repos>
>
> DAV svn
>
> SVNParentPath "/local/data/svn/svntestrepos"
>
> SVNReposName "CollabNet Subversion Repository"
>
> BrowserMatch "^SVN/1.[456]" denyclient
>
> order allow,deny
>
> allow from all
>
> deny from env=denyclient
>
> SVNListParentPath On
>
> Allow from all
>
> AuthType Basic
>
> AuthName "CollabNet Subversion Repository"
>
> AuthBasicProvider ldap
>
> AuthLDAPUrl
> "ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*" "NONE"
>
> AuthLDAPBindDN "svn_user"
>
> AuthLDAPBindPassword "password"
>
> <LimitExcept OPTIONS GET PROPFIND REPORT>
>
> require ldap-group CN= subversion_readonly,OU=abc Access
> Groups,DC=abc,DC=com
>
> </LimitExcept>
>
> require ldap-group CN= subversion_developers,OU=abc Access
> Groups,DC=abc,DC=com
>
> </Location>
>
> <Location /repos/business>
>
> DAV svn
>
> SVNPath "/local/data/svn/svntestrepos/business"
>
> SVNReposName "CollabNet Business users Subversion Repository"
>
> BrowserMatch "^SVN/1.[456]" denyclient
>
> order allow,deny
>
> allow from all
>
> deny from env=denyclient
>
> Allow from all
>
> AuthType Basic
>
> AuthName "CollabNet Business Users Subversion Repository"
>
> AuthBasicProvider ldap
>
> AuthLDAPUrl
> "ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*" "NONE"
>
> AuthLDAPBindDN "svn_user"
>
> AuthLDAPBindPassword "password"
>
> <LimitExcept OPTIONS GET PROPFIND REPORT>
>
> require ldap-group CN= subversion_readonly,OU=abc Access
> Groups,DC=abc,DC=com
>
> </LimitExcept>
>
> require ldap-group CN= subversion_bususers,OU=abc Access
> Groups,DC=abc,DC=com
>
> </Location>
>
> I’m able to access all repos except the business repo with this setting
> and when I try to commit something I get an error saying “Redirect cycle
> detected for URL”
>
> Does this have something to do with the line RedirectMatch ^(/svn)$ $1/
> ? I’m pretty much a novice at apache configuration, so forgive my ignorance.
>
> Any help is appreciated, Thank you.
>
>
> Barclaycard
>
> www.barclaycardus.com <http://www.barclaycardus.com>
>
> This email and any files transmitted with it may contain confidential
> and/or proprietary information. It is intended solely for the use of the
> individual or entity who is the intended recipient. Unauthorized use of
> this information is prohibited. If you have received this in error,
> please contact the sender by replying to this message and delete this
> material from any system it may be on.
>
RedirectMatch tells the requesting tool to try again at the new address,
which means it returns a response code and tells the client to try again
at the new address.
In your case, ^(/svn)$ $1/ says "Match ONLY /svn" and then "Redirect to
"/svn/", which probably is getting sent back into the RedirectMatch.
Http:/httpd.apache.org/docs/2.2/mod_alias.html has the relevant
information. If you want to redirect any URLS that look like
"www.example.com/svn/business" to "www.example.com/respos/business", you
would need something like the following:
RedirectMatch ^/svn/(*.) /repos/$1
Is there a reason you are doing URL redirection, though? You can
probably just set the Location directives to be /svn and /svn/business
directly and not deal with redirects or rewrites at all. If you really
are looking at doing URL modifications, you might be better served with
mod_rewrite.
Robert