Login/Register
How do I restrict Apache/SVN access to specific users (LDAP/file-based authentication)?
Asked Answered
Solved svnauthenticationactive-directoryldapapache2
K

4

6

I have Apache/SVN running on Windows Server 2003 with authentication via LDAP/Active Directory and a flat-file.

It's working great except that any LDAP user can access everything. I'd like to be able to limit SVN repositories by user or group.

Ideally, I'd get to something like this:

<Location /svn/repo1>
  # Restricted to ldap-user1, file-user1, or members of ldap-group1,
  # all others denied
</Location>

<Location /svn/repo2>
  # Restricted to ldap-user2, file-user2, or members of ldap-group2,
  # all others denied
</Location>

The real trick might be that I have mixed authentication: LDAP and file:

<Location /svn>
  DAV svn
  SVNParentPath C:/svn_repository
  AuthName "Subversion Repository"
  AuthType Basic
  AuthBasicProvider ldap file
  AuthUserFile "svn-users.txt" #file-based, custom users
  AuthzLDAPAuthoritative On
  AuthLDAPBindDN [email protected]
  AuthLDAPBindPassword ldappassword
  AuthLDAPURL ldap://directory.com:389/cn=Users,dc=directory,dc=com?sAMAccountName?sub?(objectCategory=person)
  Require valid-user
</Location>

In my googling, I've seen some people accomplish this by pulling in the authz file like this:

<Location /svn>
  ...
  AuthzSVNAccessFile "conf/svn-authz.txt"
</Location

Then, I'd need to map the AD users. Any examples of that approach?

Kaine answered 27/1, 2009 at 18:1 Comment(2)
Thanks a lot for your configurationConversable
Can you allow all read/write access but one?Petigny
K
8

This was actually a lot easier than I thought it would be. I added this to my location:

<Location /svn>
  ...
  AuthzSVNAccessFile "conf/svn-authz.txt"
</Location

In that file, I just specified normal SVN permissions (the system doesn't seem to distinguish between file users and LDAP users at this point):

[groups]
@admin = haren

###
### Deny all but administrators to the tree
###

[/]
* =
@admin = rw


###
### Allow more specific people on a per-repository basis below
###

[repo1:/]
ldap-user1 = rw
file-user1 = rw

[repo2:/]
ldap-user2 = rw
file-user2 = rw

I'm still playing around with the LDAP group syntax to get that part working. Any suggestions there are appreciated.

Kaine answered 27/1, 2009 at 18:57 Comment(0)
P
5

Another alternate method for anyone else who is interested:

Require ldap-group cn=SVN Users,cn=Users,dc=company,dc=com

This is assuming you created a group called SVN Users in Active directory. Notice that there are no double quotes around the group.

Use that instead of Require valid-user

Then you probably don't have to restart apache anytime you have any changes, just add the user to the group in AD

Predominance answered 30/11, 2012 at 1:47 Comment(1)
Hi, if this is for a particular repo say for e.g test-repo, then what would be the permission in svn.acl file for test-repo? should it be *= rw or something else? I tried adding what you have mentioned to httpd.conf file for location /repos/test-repo but the test-repo is not seen by anyone including group SVN UsersSulphur
P
0

You should not use 

Require valid-user

but use 

Require group
Priestess answered 28/1, 2009 at 9:58 Comment(1)
What then is the syntax for a group? Is it possible to put his info in the authz file so I don't have to restart apache after every change?Kaine
A
0

The login prompt keeps asking for credentials if "Require group" is given instead of "Require valid-user". I am not using any AUTHZ file, since it needs manual entries. Below are the 2 conf file entries :

Does not authenticate at all

Require ldap-group cn=subversion,cn=Users,dc=company,dc=com

Require group

Logs in for all the users in the LDAP, ignores the subversion group

Require ldap-group cn=subversion,cn=Users,dc=company,dc=com

Require valid-user

Alidaalidade answered 28/6, 2024 at 12:29 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.