Subversion with AD Groups with Linux?

Question

I try to migrate a Windows SVN Server to Linux.
I have configured Apache to validate against AD for Useraccess so only AD Users can logon.
Now i have to set permissions for repositories with authz files.
When i set permission with AD username it works, but AD groups it doesn't.

The authz file looks like the following:

[test:/]
user1=rw   #That works

[test2:/]
@usergroup=rw  #No access for the groupmembers

When I create groups inside the authz file and asign AD users, that internal group works fine, but i can't administer groups in 2 locations, there just to much changes made every day.

Has anyone an idea, how to use AD groups inside authz files?

Answer 1

You culd use sync_ldap_groups_to_svn_authz.py to get AD groups in a authz file. You can get it at bitbucket.

https://bitbucket.org/whitlockjc/jw-tools/src/e3396390e99bfbc566a4e8423a123abb4c00d655/sync_ldap_groups_to_svn_authz?at=default

Example of usage:

    python ./sync_ldap_groups_to_svn_authz.py \
-d "CN=access-TO-AD-user,OU=Users,OU=SiteName,OU=Europe,OU=St,DC=domainname,DC=com" \
  -l "ldap://adserver.domainname.com:389" \ 
-b "OU=Groups,OU=SiiteName,OU=Europe,OU=St,DC=domainname,DC=com" \
-u "objectClass=person"  -g "(&(objectClass=group)(cn=UniqueStringBeforSVN*))" \ 
-i "sAMAccountName" > ldaptest.txt

"\" is marks my linebrake because it's easier to read the example like that please make shure you write it all in one line!

Answer 2

You can't automatically use AD groups inside the authz files.

A possibile solution could be writing a script that query the AD for the groups and their member users and writes the correct authz file, defining also the groups themselves.

The final output shuold be something like:

[groups]
usergroup = user1, user2, user3

[test:/]
user1 = rw

[test2:/]
usergroup = rw