The problem is about security settings of the Subversion repository served trough the Apache web server.
I use the Path Based Authentication to protect some company information from external collaborators. I need something that tests that the authorization is given the people I want, i.e. I need to check that I hadn't make mistakes in the configuration.
There is a simple way to test this: simulate the access to the resource using username and password of users. But this method requires knowing password of users.
For example the following BASH script tests the authorization of each users on a specified path ($url). Note: the users-files.txt contains username and password of users in the form "username:password".
url="http://my.company.com/svn/repo1/private-data/"
while read line; do
username="${line%:*}"
password="${line#*:}"
if wget --quiet --user="$username" --password="$password" -- "$url"; then
echo -e "$username:\tgranted"
else
echo -e "$username:\tdenied"
fi
done < users-list.txt
There is a way to make this check without knowing the passwords of the users but only the username? I'm root in the machine where HTTPD and Subversion runs. Does HTTPD provides some audit tool?
The authentication is configured in the following way:
<Location /svn/>
DAV svn
SVNParentPath /var/svn/
AuthType Basic
AuthBasicProvider ldap
AuthName "Subversion repository"
AuthLDAPURL ldap://127.0.0.1:389/ou=People,o=mycompany.com?uid?sub?(objectClass=*)
Require valid-user
AuthzSVNAccessFile /var/svn/svn-access-file.conf
Options Indexes
SVNListParentPath on
</Location>