Monday, July 19, 2021

httpd / svn / ldap authentication Simple and mixed authorizations

i'll not make things hard and long.
Here is an configuration that i use to authenticate users thats use our svn server.


LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so

# Add the following to allow a basic authentication and point Apache to where the actual
# repository resides.

        DAV svn
        SVNPath /var/www/html/svn/chartes
        AuthType Basic
        AuthName "My company repo"
	#AuthBasicAuthorative Off
	AuthBasicProvider ldap
	AuthLDAPURL "ldap://AD_IP/DC=DC_1,DC=local?sAMAccountName?sub?(objectClass=*)"
	AuthLDAPBindDN	"LOGIN_OF_AUTHORIZED_USER_TO_SEARCH"
	AuthLDAPBindPassword "PASSWORD_FOR_AUTHORIZED_USER"
	Require valid-user	


Don't specify the port in the server ip
DC items may be more then 2, depending on your AD configuration.
Remark here we use sAMAccountName as research criteria Now imagine we want this scenario:
1-LDAP auth
2-Access rights granted from local file (rw rights)
We can do that by adding a simple directive in our .conf file
AuthzSVNAccessFile
so our new .conf file become:
LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so

# Add the following to allow a basic authentication and point Apache to where the actual
# repository resides.

        DAV svn
        SVNPath /var/www/html/svn/chartes
        AuthType Basic
        AuthName "My company repo"
	#AuthBasicAuthorative Off
	AuthBasicProvider ldap
	AuthLDAPURL "ldap://AD_IP/DC=DC_1,DC=local?sAMAccountName?sub?(objectClass=*)"
	AuthLDAPBindDN	"LOGIN_OF_AUTHORIZED_USER_TO_SEARCH"
	AuthLDAPBindPassword "PASSWORD_FOR_AUTHORIZED_USER"
    AuthzSVNAccessFile /etc/svn-repo-chartes.authz
	Require valid-user	

Where /etc/svn-repo-chartes.authzcontent is
[/] * = r

Now no-one has write right on repo here but only read
Let's see that
Sceanrio:
1- Login
2-Checkout
3-Create file
4-Add file to repo
5-commit

Craps!
We have that message :
Accès à '/svn/chartes/!svn/me' interdit' <=> 'Access to .... denied' 

Now you can set authorizations line by line and user by user

Let's continue...
I'll grant to Mr 66456 a write right
Our new authorizations file content become:
[/]
* = r
66456 = rw

Let's commit again...
All right !