You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Scott Lamb <sl...@slamb.org> on 2006/04/25 07:24:54 UTC
mod_authz_svn: LDAP-based groups?
Is it possible to have path-based authorization based on LDAP groups
rather than ones hardcoded into the AuthzSVNAccessFile? I see from
the manual [1] how to do the latter, but maintaining *huge* lists of
users in a flat file would be hard for us. It'd be *much* better to
just delegate these lists to our IT department's ActiveDirectory
database, which already has the groups we're looking for.
mod_auth_ldap has a concept of groups built in [2], which seems to
be a standard concept in all the Apache authenticators. You can just
do stuff like:
require group cn=Administrators, o=Airius
What I'd like to do is something like this in the httpd configuration:
<Location /svn>
DAV svn
SVNPath /var/www/svn
AuthType Basic
AuthName "Build Repository"
AuthLDAPEnabled on
AuthLDAPURL ldap://example.com/dc=example,dc=com?
sAMAccountName?one
AuthLDAPBindDN cn=queries,ou=Users,dc=example,dc=com
AuthLDAPBindPassword "secret"
Require valid-user
AuthzSVNAccessFile /var/www/svn/conf/access.conf
</Location>
and something like this in the access file:
[groups]
foo-committers = 'cn=foo-committers,ou=Groups,dc=example,dc=com'
foo-reviewers = 'cn=foo-reviewers,ou=Groups,dc=example,dc=com'
[/foo]
@foo-committers = rw
@foo-reviewers = r
or even just:
[/foo]
@'cn=foo-committers,ou=Groups,dc=example,dc=com' = rw
@'cn=foo-reviewers,ou=Groups,dc=example,dc=com' = rw
Is this possible?
Regards,
Scott
[1] - http://svnbook.red-bean.com/en/1.1/ch06s04.html#svn-ch-6-
sect-4.4.2
[2] - http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html#reqgroup
--
Scott Lamb <http://www.slamb.org/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: mod_authz_svn: LDAP-based groups?
Posted by Scott Lamb <sl...@slamb.org>.
On Apr 25, 2006, at 12:24 AM, Scott Lamb wrote:
> Is it possible to have path-based authorization based on LDAP
> groups rather than ones hardcoded into the AuthzSVNAccessFile? I
> see from the manual [1] how to do the latter, but maintaining
> *huge* lists of users in a flat file would be hard for us. It'd be
> *much* better to just delegate these lists to our IT department's
> ActiveDirectory database, which already has the groups we're
> looking for.
Okay, this sucks. It looks like:
1) mod_auth_ldap doesn't have a way to pass along group information
to mod_authz_*. At least as of httpd-2.0.x head, it does all its
group checking right in mod_auth_ldap_auth_checker.
2) there doesn't even seem to be a framework for Apache
authentication modules to do so.
3) mod_authz_svn doesn't even do the group stuff; it passes it along
to svn_repos_authz_*. There'd need to be a way to pass in a callback
or existing groups or _something_.
So I give up; I'll do this crudely. A cron job to generate the flat
file from LDAP queries and a Nagios monitoring point to complain if
it's out of date.
If someone more ambitious than me took on doing this properly, I and
probably others would be quite happy.
Regards,
Scott
--
Scott Lamb <http://www.slamb.org/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org