Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive

Kedar Sirshikar (ksirshik)

Hi team,

I need some help on integration of SVN, Apache and LDAP.

 

Currently we are using ‘/var/www/svn/users-access-file’ to store SVN admin users.

Problem with this approach is if new admin users are added in LDAP then we have to change above file as well (for adding new users).

Also, storing user names in ‘/var/www/svn/users-access-file’ is always discouraged as it may violate security.

 

So, is there any way I can avoid using ‘/var/www/svn/users-access-file’ and achieve read/write access to SVN based on groups of LDAP users?

I am also investing but as I am new to this area so your help may improve my investigation.

 

System Details are as below:

CentOS release 6.8 (Final)

httpd-2.2.15-54.el6.centos.x86_64

 

Regards,

Kedar.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive

Branko Čibej
On 04.08.2017 18:39, Kedar Sirshikar (ksirshik) wrote:

Hi team,

I need some help on integration of SVN, Apache and LDAP.

 

Currently we are using ‘/var/www/svn/users-access-file’ to store SVN admin users.

Problem with this approach is if new admin users are added in LDAP then we have to change above file as well (for adding new users).

Also, storing user names in ‘/var/www/svn/users-access-file’ is always discouraged as it may violate security.

 

So, is there any way I can avoid using ‘/var/www/svn/users-access-file’ and achieve read/write access to SVN based on groups of LDAP users?

I am also investing but as I am new to this area so your help may improve my investigation.


Yes, this is easily done; here's an example of the access part of the httpd config file (for httpd 2.4.x):

        <RequireAll>
            Require valid-user
            <Limit HEAD GET OPTIONS PROPFIND REPORT>
                <RequireAny>
                    # Read access
                    Require ldap-group cn=svn.admin,ou=group,dc=example,dc=com
                    Require ldap-group cn=svn.readonly,ou=group,dc=example,dc=com
                </RequireAny>
            </Limit>
            <LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
                <RequireAny>
                    # Write access
                    Require ldap-group cn=svn.admin,ou=group,dc=example,dc=com
                </RequireAny>                   
            </LimitExcept>
        </RequireAll>


-- Brane
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive

Kedar Sirshikar (ksirshik)

Hi Brane,

Thank you for reply.

 

I am providing some inputs about my experiement as of now.

I am using ‘httpd-2.2.15-54.el6.centos.x86_64’ httpd.

I have attached ldif file and ‘/etc/httpd/conf.d/subversion.conf’ files for your reference.

I have also attached ‘sssd.conf’ (to interact with LDAP).

 

Still I have not been able to grant read access to gidNumber: 500 and read/write access to gidNumber: 491 from ldap.

Do you see any obvious issue in attached files? Your advice will be a great help!

 

Regards,

Kedar.

 

From: Branko Čibej <[hidden email]>
Organization: The Apache Software Foundation
Date: Monday, August 7, 2017 at 12:36 AM
To: "[hidden email]" <[hidden email]>
Cc: "Kedar Sirshikar (ksirshik)" <[hidden email]>
Subject: Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive

 

On 04.08.2017 18:39, Kedar Sirshikar (ksirshik) wrote:

Hi team,

I need some help on integration of SVN, Apache and LDAP.

 

Currently we are using ‘/var/www/svn/users-access-file’ to store SVN admin users.

Problem with this approach is if new admin users are added in LDAP then we have to change above file as well (for adding new users).

Also, storing user names in ‘/var/www/svn/users-access-file’ is always discouraged as it may violate security.

 

So, is there any way I can avoid using ‘/var/www/svn/users-access-file’ and achieve read/write access to SVN based on groups of LDAP users?

I am also investing but as I am new to this area so your help may improve my investigation.


Yes, this is easily done; here's an example of the access part of the httpd config file (for httpd 2.4.x):

        <RequireAll>
            Require valid-user
            <Limit HEAD GET OPTIONS PROPFIND REPORT>
                <RequireAny>
                    # Read access
                    Require ldap-group cn=svn.admin,ou=group,dc=example,dc=com
                    Require ldap-group cn=svn.readonly,ou=group,dc=example,dc=com
                </RequireAny>
            </Limit>
            <LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
                <RequireAny>
                    # Write access
                    Require ldap-group cn=svn.admin,ou=group,dc=example,dc=com
                </RequireAny>                   
            </LimitExcept>
        </RequireAll>
 


-- Brane


ldif.txt (1K) Download Attachment
sssd.conf (1K) Download Attachment
subversion.conf (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive

Branko Čibej
On 07.08.2017 10:10, Kedar Sirshikar (ksirshik) wrote:

>
> Hi Brane,
>
> Thank you for reply.
>
>  
>
> I am providing some inputs about my experiement as of now.
>
> I am using ‘httpd-2.2.15-54.el6.centos.x86_64’ httpd.
>
> I have attached ldif file and ‘/etc/httpd/conf.d/subversion.conf’
> files for your reference.
>
> I have also attached ‘sssd.conf’ (to interact with LDAP).
>
>  
>
> Still I have not been able to grant read access to gidNumber: 500 and
> read/write access to gidNumber: 491 from ldap.
>
> Do you see any obvious issue in attached files? Your advice will be a
> great help!
>

Looks like you're missing two bits:

  * the AuthLDAPGroupAttribute is probably needed
  * you don't use the whole group distinguished name in the Require
    lines (the common name is missing).

As far as I know, mod_ldap won't search the whole subtree for valid
group names, you have to list them explicitly.

-- Brane
Loading...