Here is an configuration that i use to authenticate users thats use our svn server.
LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so # Add the following to allow a basic authentication and point Apache to where the actual # repository resides.Don't specify the port in the server ipDAV svn SVNPath /var/www/html/svn/chartes AuthType Basic AuthName "My company repo" #AuthBasicAuthorative Off AuthBasicProvider ldap AuthLDAPURL "ldap://AD_IP/DC=DC_1,DC=local?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN "LOGIN_OF_AUTHORIZED_USER_TO_SEARCH" AuthLDAPBindPassword "PASSWORD_FOR_AUTHORIZED_USER" Require valid-user
DC items may be more then 2, depending on your AD configuration.
Remark here we use sAMAccountName as research criteria Now imagine we want this scenario:
1-LDAP auth
2-Access rights granted from local file (rw rights)
We can do that by adding a simple directive in our .conf file
AuthzSVNAccessFile
so our new .conf file become:
LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so # Add the following to allow a basic authentication and point Apache to where the actual # repository resides.Where /etc/svn-repo-chartes.authzcontent isDAV svn SVNPath /var/www/html/svn/chartes AuthType Basic AuthName "My company repo" #AuthBasicAuthorative Off AuthBasicProvider ldap AuthLDAPURL "ldap://AD_IP/DC=DC_1,DC=local?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN "LOGIN_OF_AUTHORIZED_USER_TO_SEARCH" AuthLDAPBindPassword "PASSWORD_FOR_AUTHORIZED_USER" AuthzSVNAccessFile /etc/svn-repo-chartes.authz Require valid-user
[/] * = r
Now no-one has write right on repo here but only read
Let's see that
Sceanrio:
1- Login
2-Checkout
3-Create file
4-Add file to repo
5-commit
Craps!
We have that message :
Accès à '/svn/chartes/!svn/me' interdit' <=> 'Access to .... denied'
Now you can set authorizations line by line and user by user
I'll grant to Mr 66456 a write right
Our new authorizations file content become:
[/]
* = r
66456 = rw
Let's commit again...
All right !
No comments:
Post a Comment