tags:

views:

3986

answers:

2
+1  Q: 

How do I restrict Apache/SVN access to specific users (ldap/file-based authentication)?

I have Apache/SVN running on Windows 2003 with authentication via LDAP/Active Directory and a flat-file.

It's working great except that any LDAP user can access everything. I'd like to be able to limit SVN repos by user or group.

Ideally, I'd get to something like this:

<Location /svn/repo1>
  # restricted to ldap-user1, file-user1, or members of ldap-group1
  # all others denied
</Location>

<Location /svn/repo2>
  # restricted to ldap-user2, file-user2, or members of ldap-group2
  # all others denied
</Location>

The real trick might be that I have mixed authentication: ldap and file:

<Location /svn>
  DAV svn
  SVNParentPath C:/svn_repository
  AuthName "Subversion Repository"
  AuthType Basic
  AuthBasicProvider ldap file
  AuthUserFile "svn-users.txt" #file-based, custom users
  AuthzLDAPAuthoritative On
  AuthLDAPBindDN [email protected]
  AuthLDAPBindPassword ldappassword
  AuthLDAPURL ldap://directory.com:389/cn=Users,dc=directory,dc=com?sAMAccountName?sub?(objectCategory=person)
  Require valid-user
</Location>

Edit: in my googling, I've seen some people accomplish this by pulling in the authz file like this:

<Location /svn>
  ...
  AuthzSVNAccessFile "conf/svn-authz.txt"
</Location

Then, I'd need to map the AD users. Any examples of that approach?

+1  A: 

This was actually a lot easier than I thought it would be. I added this to my location:

<Location /svn>
  ...
  AuthzSVNAccessFile "conf/svn-authz.txt"
</Location

In that file, I just specified normal SVN permissions (the system doesn't seem to distinguish between file users and ldap users at this point):

[groups]
@admin = haren

###
### deny all but admins to the tree
###

[/]
* = 
@admin = rw


###
### allow more specific people on a per-repo basis below
###

[repo1:/]
ldap-user1 = rw
file-user1 = rw

[repo2:/]
ldap-user2 = rw
file-user2 = rw

I'm still playing around with the LDAP group syntax to get that part working. Any suggestions there are appreciated.

Michael Haren  2009-01-27 18:57:23
A: 

You should not use 

Require valid-user

but use 

Require group
Peter Parker  2009-01-28 09:58:39
What then is the syntax for a group?Is it possible to put his info in the authz file so I don't have to restart apache after every change?
Michael Haren  2009-01-28 13:33:17

related questions

Best strategy to write hooks for subversion in Windows
Database Version Control
Version control PHP Web Project
Experience with SVN vs. Team Foundation Server?
Best SVN Client Ignore Pattern for VB.NET Solutions?
SVN merge merged extra stuff
What is your favorite web app deployment workflow with SVN?
Integrating Fogbugz with TortoiseSVN with no URL/Subversion backend
Version Control. Getting started...
ASP.NET Display SVN Revision Number
How do I create a branch in SVN?
What do the result codes in svn mean?
Could you recommend a good free project hosting website?
Federated (Synced) Subversion servers?
Mechanisms for tracking DB schema changes
What are the advantages of using SVN over CVS?
Use SVN Revision to label build in CCNET
Best subversion client for Mac OS
Why is Git better than Subversion?
ASP.NET, Visual Studio and Subversion - how to integrate?
Best Practice: Collaborative Environment, Bin Directory, SVN
How do I sync the SVN revision number with my ASP.NET web site?
Best Subversion clients for Windows Vista (64bit)
Good branch/merge tutorials for Tortoise SVN?
How can you get Subclipse in Aptana to work with the newest release of Subversion?