Setting up Subversion repo using LDAP groups in svn_access_file
Obvious way:
Define cabal group members in AuthzSVNAccessFile.
- You can do it by hand (edit members every time, when membership change)
- You can find and use LDAP-to-Authz sync-script (mentioned here, on SO somewhere) for updating
@cabal
whenCN=cabal
changed in LDAP
Tricky way
- You can add additional
<Location /gorp/secret>
with changedRequire ldap-group
directive and maintain group entirely in LDAP
Related videos on Youtube
David W.
Updated on October 09, 2022Comments
-
David W. about 1 year
If I was doing this from scratch, I would have made this two separate repositories. Unfortunately, I have to make do with what is there.
Our repository looks like this:
/trunk /tags /branches /secret/trunk /secret/tags /secret/branches
I have my SVN configuration setup like this:
<Location /gorp> DAV svn SVNPath /mnt/svn/repositories/gorp AuthType basic AuthName "Vegicorp Repostitory" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPUrl "ldap://ldap.vegicorp.net:389/DC=vegicorp,DC=NET?sAMAccountName" NONE AuthLDAPBindDN "CN=ldap-read,,OU=Users,OU=vegicorp,DC=vegicorp,DC=net" AuthLDAPBindPassword swordfish Require ldap-group CN=Development,OU=Groups,OU=vegicorp,DC=vegicorp,DC=net AuthzSVNAccessFile /opt/CollabNet_Subversion/repos_path_access/gorp </Location>
This works great. All users in the LDAP group
Development
has access to our repository. However, not all developers should be able to even see thesecret
directory. Instead, I only want users in thecabal
LDAP group to be able to access it.And, I have my file
gorp
under the aboverepos_path_access
access directory look like this:[/] * = r [/trunk] * = rw [/branches] * = rw [/tags] * = rw [/secret] dvadar = rw cpalpatine = rw glucas = rw * =
So far, so good. My
cabal
group users,dvadar
,cpalpatine
, andglucas
, have access to the/secret
directory in my repository, and no one else even sees it. However, as people come and go, I have to manually change this path based access file. What I would like to do is have my path-based access give everyone incabal
access and hide it for everyone else:[/] * = r [/trunk] * = rw [/branches] * = rw [/tags] * = rw [/secret] @cabal = rw * =
This does not work. Instead, I see this in my logs:
Tue Sep 03 11:30:50 2013] [error] [client 10.55.9.217] \ Failed to load the AuthzSVNAccessFile: An authz rule refers to group '@cabal'
What is the best way to give my
cabal
group access tosecret
without the rest of my developers seeing this directory? -
David W. about 10 yearsI knew I could write a LDAP to Authz syncscript, but I was hoping there was some httpd configuration that could handle this. The tricky way is intriguing though.
-
guerda over 9 yearsSome information on a script which does the sync: thoughtspark.org/2009/01/20/…
-
wogsland over 6 yearsGenerally you should include the relevant code here rather than linking to a repo.