Setting up Subversion repo using LDAP groups in svn_access_file

13,468

Obvious way:

Define cabal group members in AuthzSVNAccessFile.

  • You can do it by hand (edit members every time, when membership change)
  • You can find and use LDAP-to-Authz sync-script (mentioned here, on SO somewhere) for updating @cabal when CN=cabal changed in LDAP

Tricky way

  • You can add additional <Location /gorp/secret> with changed Require ldap-group directive and maintain group entirely in LDAP
Share:
13,468

Related videos on Youtube

David W.
Author by

David W.

Updated on October 09, 2022

Comments

  • David W.
    David W. about 1 year

    If I was doing this from scratch, I would have made this two separate repositories. Unfortunately, I have to make do with what is there.

    Our repository looks like this:

    /trunk
    /tags
    /branches
    /secret/trunk
    /secret/tags
    /secret/branches
    

    I have my SVN configuration setup like this:

    <Location /gorp>
        DAV svn
        SVNPath /mnt/svn/repositories/gorp
        AuthType basic
        AuthName "Vegicorp Repostitory"
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative off
        AuthLDAPUrl "ldap://ldap.vegicorp.net:389/DC=vegicorp,DC=NET?sAMAccountName" NONE
        AuthLDAPBindDN "CN=ldap-read,,OU=Users,OU=vegicorp,DC=vegicorp,DC=net"
        AuthLDAPBindPassword swordfish
        Require ldap-group CN=Development,OU=Groups,OU=vegicorp,DC=vegicorp,DC=net
        AuthzSVNAccessFile /opt/CollabNet_Subversion/repos_path_access/gorp
    </Location>
    

    This works great. All users in the LDAP group Development has access to our repository. However, not all developers should be able to even see the secret directory. Instead, I only want users in the cabal LDAP group to be able to access it.

    And, I have my file gorp under the above repos_path_access access directory look like this:

    [/]
    * = r
    
    [/trunk]
    * = rw
    
    [/branches]
    * = rw
    
    [/tags]
    * = rw
    
    [/secret]
    dvadar = rw
    cpalpatine = rw
    glucas = rw
    * = 
    

    So far, so good. My cabal group users, dvadar, cpalpatine, and glucas, have access to the /secret directory in my repository, and no one else even sees it. However, as people come and go, I have to manually change this path based access file. What I would like to do is have my path-based access give everyone in cabal access and hide it for everyone else:

    [/]
    * = r
    
    [/trunk]
    * = rw
    
    [/branches]
    * = rw
    
    [/tags]
    * = rw
    
    [/secret]
    @cabal = rw
    * = 
    

    This does not work. Instead, I see this in my logs:

    Tue Sep 03 11:30:50 2013] [error] [client 10.55.9.217] \
    Failed to load the AuthzSVNAccessFile: An authz rule refers to group '@cabal'
    

    What is the best way to give my cabal group access to secret without the rest of my developers seeing this directory?

  • David W.
    David W. about 10 years
    I knew I could write a LDAP to Authz syncscript, but I was hoping there was some httpd configuration that could handle this. The tricky way is intriguing though.
  • guerda
    guerda over 9 years
    Some information on a script which does the sync: thoughtspark.org/2009/01/20/…
  • wogsland
    wogsland over 6 years
    Generally you should include the relevant code here rather than linking to a repo.