6

I have Apache/SVN running on Windows Server 2003 with authentication via LDAP/Active Directory and a flat-file.

It's working great except that any LDAP user can access everything. I'd like to be able to limit SVN repositories by user or group.

Ideally, I'd get to something like this:

<Location /svn/repo1>
  # Restricted to ldap-user1, file-user1, or members of ldap-group1,
  # all others denied
</Location>

<Location /svn/repo2>
  # Restricted to ldap-user2, file-user2, or members of ldap-group2,
  # all others denied
</Location>

The real trick might be that I have mixed authentication: LDAP and file:

<Location /svn>
  DAV svn
  SVNParentPath C:/svn_repository
  AuthName "Subversion Repository"
  AuthType Basic
  AuthBasicProvider ldap file
  AuthUserFile "svn-users.txt" #file-based, custom users
  AuthzLDAPAuthoritative On
  AuthLDAPBindDN [email protected]
  AuthLDAPBindPassword ldappassword
  AuthLDAPURL ldap://directory.com:389/cn=Users,dc=directory,dc=com?sAMAccountName?sub?(objectCategory=person)
  Require valid-user
</Location>

In my googling, I've seen some people accomplish this by pulling in the authz file like this:

<Location /svn>
  ...
  AuthzSVNAccessFile "conf/svn-authz.txt"
</Location

Then, I'd need to map the AD users. Any examples of that approach?

Improve this question
2
  • Thanks a lot for your configuration Commented Jun 17, 2009 at 12:04
  • Can you allow all read/write access but one? Commented Oct 20, 2011 at 9:48

4 Answers 4

Reset to default
8

This was actually a lot easier than I thought it would be. I added this to my location:

<Location /svn>
  ...
  AuthzSVNAccessFile "conf/svn-authz.txt"
</Location

In that file, I just specified normal SVN permissions (the system doesn't seem to distinguish between file users and LDAP users at this point):

[groups]
@admin = haren

###
### Deny all but administrators to the tree
###

[/]
* =
@admin = rw


###
### Allow more specific people on a per-repository basis below
###

[repo1:/]
ldap-user1 = rw
file-user1 = rw

[repo2:/]
ldap-user2 = rw
file-user2 = rw

I'm still playing around with the LDAP group syntax to get that part working. Any suggestions there are appreciated.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

5

Another alternate method for anyone else who is interested:

Require ldap-group cn=SVN Users,cn=Users,dc=company,dc=com

This is assuming you created a group called SVN Users in Active directory. Notice that there are no double quotes around the group.

Use that instead of Require valid-user

Then you probably don't have to restart apache anytime you have any changes, just add the user to the group in AD

Improve this answer

1 Comment

Hi, if this is for a particular repo say for e.g test-repo, then what would be the permission in svn.acl file for test-repo? should it be *= rw or something else? I tried adding what you have mentioned to httpd.conf file for location /repos/test-repo but the test-repo is not seen by anyone including group SVN Users
0

You should not use 

Require valid-user

but use 

Require group
Improve this answer

1 Comment

What then is the syntax for a group? Is it possible to put his info in the authz file so I don't have to restart apache after every change?
0

The login prompt keeps asking for credentials if "Require group" is given instead of "Require valid-user". I am not using any AUTHZ file, since it needs manual entries. Below are the 2 conf file entries :

Does not authenticate at all

Require ldap-group cn=subversion,cn=Users,dc=company,dc=com

Require group

Logs in for all the users in the LDAP, ignores the subversion group

Require ldap-group cn=subversion,cn=Users,dc=company,dc=com

Require valid-user

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.