Reputation: 108376
How do I restrict Apache/SVN access to specific users (LDAP/file-based authentication)?
I have Apache/SVN running on Windows Server 2003 with authentication via LDAP/Active Directory and a flat-file.
It's working great except that any LDAP user can access everything. I'd like to be able to limit SVN repositories by user or group.
Ideally, I'd get to something like this:
<Location /svn/repo1>
# Restricted to ldap-user1, file-user1, or members of ldap-group1,
# all others denied
</Location>
<Location /svn/repo2>
# Restricted to ldap-user2, file-user2, or members of ldap-group2,
# all others denied
</Location>
The real trick might be that I have mixed authentication: LDAP and file:
<Location /svn>
DAV svn
SVNParentPath C:/svn_repository
AuthName "Subversion Repository"
AuthType Basic
AuthBasicProvider ldap file
AuthUserFile "svn-users.txt" #file-based, custom users
AuthzLDAPAuthoritative On
AuthLDAPBindDN [email protected]
AuthLDAPBindPassword ldappassword
AuthLDAPURL ldap://directory.com:389/cn=Users,dc=directory,dc=com?sAMAccountName?sub?(objectCategory=person)
Require valid-user
</Location>
In my googling, I've seen some people accomplish this by pulling in the authz file like this:
<Location /svn>
...
AuthzSVNAccessFile "conf/svn-authz.txt"
</Location
Then, I'd need to map the AD users. Any examples of that approach?
Upvotes: 6
Views: 26034
Answers (4)
Reputation: 11
The login prompt keeps asking for credentials if "Require group" is given instead of "Require valid-user". I am not using any AUTHZ file, since it needs manual entries. Below are the 2 conf file entries :
Does not authenticate at all
Require ldap-group cn=subversion,cn=Users,dc=company,dc=com
Require group
Logs in for all the users in the LDAP, ignores the subversion group
Require ldap-group cn=subversion,cn=Users,dc=company,dc=com
Require valid-user
Upvotes: 0
Reputation: 108376
This was actually a lot easier than I thought it would be. I added this to my location:
<Location /svn>
...
AuthzSVNAccessFile "conf/svn-authz.txt"
</Location
In that file, I just specified normal SVN permissions (the system doesn't seem to distinguish between file users and LDAP users at this point):
[groups]
@admin = haren
###
### Deny all but administrators to the tree
###
[/]
* =
@admin = rw
###
### Allow more specific people on a per-repository basis below
###
[repo1:/]
ldap-user1 = rw
file-user1 = rw
[repo2:/]
ldap-user2 = rw
file-user2 = rw
I'm still playing around with the LDAP group syntax to get that part working. Any suggestions there are appreciated.
Upvotes: 8
Reputation: 862
Another alternate method for anyone else who is interested:
Require ldap-group cn=SVN Users,cn=Users,dc=company,dc=com
This is assuming you created a group called SVN Users in Active directory. Notice that there are no double quotes around the group.
Use that instead of Require valid-user
Then you probably don't have to restart apache anytime you have any changes, just add the user to the group in AD
Upvotes: 5
Related Questions
- SVN restrict access to everything but subdirectory
- Apache SVN Authorize to Active Directory Group
- SVN - how to restrict user access to certain folders?
- Limit access to dav SVN to valid-users
- Apache subversion LDAP group access per folder inside 1 repo
- How to protect each sub directory of the SVN repository by using the Apache HTTP?
- How do I restrict Apache/GIT access to specific users (ldap/file-based authentication)?
- SVN with Apache authenticate against OS user accounts
- Setting up Apache and Subversion to use LDAP (Windows Active Directory) group authentication
- Use LDAP for SVN user authentication