On Sun, Aug 21, 2016 at 5:10 PM, Craig Russell <[email protected]> wrote: > >> On Aug 21, 2016, at 11:50 AM, Sam Ruby <[email protected]> wrote: >> >> TL;DR: add one line to httpd.conf (LDAPVerifyServerCert Off); add back >> in the LDAP authentication; restart the server, and you should be up >> and running. Details: >> >> https://github.com/apache/whimsy/commit/89556b48642a7696e11501c1a180f9339e63b4f5 >> >> On Sun, Aug 21, 2016 at 1:20 PM, Craig Russell <[email protected]> >> wrote: >>> I reverted the change to whimsy.conf and can now get back to where I was >>> yesterday. >> >> Which isn't where you want to be. >> >>> So, if the server is running as clr, with my local credentials, why does >>> svn complain? >>> >>> Where is it that we tell sever to run as clr? >> >> Let me split that into three questions, and answer each in turn. >> >> 1) Q: I have a local checkout of an ASF SVN repository, what allows >> whimsy applications to read and write these files? >> >> A: Running httpd as your local user (per whoami) does this. This >> change was made to httpd.conf. > > Just to be clear, this is the change I made to httpd.conf: > <IfModule unixd_module> > # > # If you wish httpd to run as a different user or group, you must run > # httpd as root initially and it will switch. > # > # User/Group: The name (or #number) of the user/group to run httpd as. > # It is usually good practice to create a dedicated user and group for > # running httpd, as with most system services. > # > User clr > Group staff > > </IfModule>
That's the one. >> 2) Q: What enables me to run *local* svn commands against these files? >> >> A: This is done via shelling out to the SVN command line. For this >> reason, it is important that SVN is in the PATH environment as defined >> in your whimsy.conf. > > Right. And per above, svn commands should be run under userid clr. Correct. >> 3) Q: What enables me to run commands (like commit) that interact with >> the Apache svn server? > > "Commands (like commit)" is not clear to me. Are you talking about the > secretary/workbench commit button? >> >> A: This requires prompting you for you Apache user id and password. > > Here you must be talking about the recent change to protect www/secretary. > > + <Directory /Users/rubys/git/whimsy/www/secretary> > + AuthType Basic > + AuthName "ASF Secretarial Team" > + AuthBasicProvider ldap > + AuthLDAPUrl "ldaps://ldap-lb-us.apache.org:636 > ldap1-us-west.apache.org:636/ou=people,dc=apache,dc=org?uid" > + AuthLDAPGroupAttribute member > + AuthLDAPGroupAttributeIsDN on > + Require ldap-group > cn=asf-secretary,ou=groups,ou=services,dc=apache,dc=org > + </Directory> > > So you want to restrict use of the services at www/secretary to the apache > server ldap secretary team. > I don’t see how this affects running svn locally. :( That does restrict the services. This is done by prompting you for your username and password. Those values (username and password) are passed as parameters on certain svn commands (like svn commit) and on various LDAP API calls. This is why commits on whimsy-vm3 made by you are done with your user id. At the moment, whimsy.local is attempting to be as close as possible to whimsy-vm3.apache.org. Various IDEs and even the command line can be configured to save your password(*), but no whimsy code caches credentials. - Sam Ruby [1] http://svnbook.red-bean.com/en/1.6/svn.serverconfig.netmodel.html#svn.serverconfig.netmodel.creds
