Re: svnsync checksum error

2010-11-10 Thread opensrcguru 
On Wed, Nov 10, 2010 at 10:49 AM, Daniel Shahaf  wrote:
> OSG wrote on Tue, Nov 09, 2010 at 20:58:53 -0600:
>> On 11/09/2010 06:41 PM, Daniel Shahaf wrote:
>> > Edward Ned Harvey wrote on Sat, Nov 06, 2010 at 20:29:18 -0400:
>> >>> From: opensrcguru [mailto:opensrcg...@gmail.com]
>> >>>
>> >>> Today, the sync process started failing on 1 repo (all others were
>> >>> unaffected) on both r/o copies at the exact same time/same revision
>> >>> with errors similar to the following...
>> >>>
>> >>> Transmitting file data .svnsync: Base checksum mismatch on
>> >>> '/path/to/file/foo/bar':
>> >>>    expected:  2f2e025c4c4855e7466799a877b3e23d
>> >>>      actual:  272214b9518d352e16e7eeceeb22f573
>> >>
>> >
>> > Can you compare the contents of /path/to/file/foo/bar between the master
>> > and mirror, as of the last revision successfully synced to the mirror?
>> Yes, I had done that and yes, the last sync'd revs were in tact and accurate.
>>
>
> So they are textually identical?
Yes.

> Can you compare their checksums to the two checksums in the error message?
I hadn't yet, but I can. What is being used to perform the sum (md5/sha1/???)?

>> > If you create a fresh mirror and svnsync it, from r0 to that revision,
>> > does the file /path/to/file/foo/bar in the fresh mirror differ from the
>> > one in the master?
>> No, a resync from r0 to current does not result in any differences.
>>
>
> Meaning, a fresh resync is successful and doesn't cause any error messages?
>
> Or meaning, it results in the same error messages as before?
>

Correct. A new/fresh resync from r0 (including the previously troubled
revision) to latest completes successfully with no errors. That
process was the last in my troubleshooting process and is how I worked
around the problem.

--

In my case, I do not believe it to be hardware related because I had
two r/o copies that exhibited the same behavior at the same rev at the
same time. That is, unless there was a hardware issue on the source
copy. Although possible, pretty unlikely.

Re: locking down access to a repository

2010-11-09 Thread opensrcguru 
On Tue, Nov 9, 2010 at 1:40 PM, Patricia A Moss  wrote:
>
> I've tried twice to reply to your first response.  I am not sure why it is 
> not posting.
> I am going to try again.
>
> >First. LDAP (authentication) is only 1/2 of the big picture. You will
> >still need configure authorization on the repo's themselves.
> I have done this already.  I have a separate configuration file for each 
> repository.  That looks like this:
> 
> dav svn
> SVNPath /disk01/home/RepositoryName
> AuthType Basic
> AuthBasicProvider ldap-FCGNET ldap-VIET
> AuthzLDAPAuthoritative off
> AuthName "CSC Subversion Repository"
> Require valid-user
> Require ldap-group CN=ADGroupName,OU=Europe,OU=Groups,DC=fcg,DC=com
> Require ldap-user pmoss
> 
>
> I have defined the LDAP Aliases in the very first repository configuration 
> file; as such:
> 
>         AuthLDAPBindDN FCGNET\svnuser
>         AuthLDAPBindPassword x
>         AuthLDAPURL
> ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person)
> 
> 
>         AuthLDAPBindDN "CN=fcgvuser,OU=Service 
> Accounts,OU=Users,OU=Production,DC=vdc,DC=csc,DC=com"
>         AuthLDAPBindPassword xxx
>         AuthLDAPURL 
> ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?samAccountName?sub?(objectCategory=person)
> 
>
> >Second, Its hard to help troubleshoot when you don't provide useful
> >information or a direct question. Was there  something you needed help
> >with? I didnt see any questions other than "Can someone lend a hand in
> >figuring out what I have done wrong, or need to do?"
>
> I think that I have 2 separate issues:
> 1. I need to lock down access so that only the users in the associated AD 
> group have access to the repository.
> 2. I need to be able to allow just my user account access to the 
> repositories, without having to be added to all of the AD groups.
>
> Right now;
> All, valid, users can access all repositories, whether they are a member of 
> the Active Directory group or not.
> When I remove the "Require valid-user" line then no one, including the 
> members of the Active Directory group, can access the repository.
>
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC
>
>
> From: opensrcguru 
> To: users@subversion.apache.org
> Date: 11/09/2010 02:12 PM
> Subject: Re: locking down access to a repository
> 
>
>
> On Tue, Nov 9, 2010 at 12:54 PM, Patricia A Moss  wrote:
>
> I appreciate all of the help that I am receiving. I have still not been 
> successful in resolving this.
>
> I removed the line:
> Require valid-user
>
> I have tried using:
> ?samAccountName?sub?(objectClass=*)
> Instead of:
> ?samAccountName?sub?(objectCategory=person)
>
> That is the only difference I see in my config files and the examples in the 
> google hits. Yet I am still not successful in accessing the repository.
> I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because I 
> am really confused as to how to proceed.
>
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC
>
> From: kmra...@rockwellcollins.com
> To: Patricia A Moss/USA/c...@csc
> Cc: users@subversion.apache.org
> Date: 11/09/2010 11:13 AM
> Subject: Re: locking down access to a repository
>
> 
>
>
> Patricia A Moss  wrote on 11/09/2010 09:41:42 AM:
>
> > From: Patricia A Moss 
> > To: kmra...@rockwellcollins.com
> > Cc: users@subversion.apache.org
> > Date: 11/09/2010 09:41 AM
> > Subject: Re: locking down access to a repository
> >
> >
> > >I don't think you want the "Require valid-user" line, since by
> > default it uses
> > >ANY of the Require lines as matches.  (And in your case valid-user
> > matches all
> > >users so it doesn't care you are also specifying a group and an user.)
> >
> > But if I remove that line then no one can access the repository.
>
> I think you also may need to be less specific with your ldapurl (remove the
> objectclass or use * ??):
> (Assuming active directory, this is like what I have used in the past)
>
>  AuthLDAPURL "ldap://ad.example.com/ou=group,dc=example,dc=com?sAMAccountName";
>  AuthLDAPGroupAttribute member
>  Require ldap-group ...
>
> It has been quite awhile since I used ldap groups instead of authz files...
>
> This first google hit has some examples:
>
> http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication
>
> As does this one:
>
> http://ramblings.gibberishcod

Re: locking down access to a repository

2010-11-09 Thread opensrcguru 
On Tue, Nov 9, 2010 at 12:54 PM, Patricia A Moss  wrote:

>
> I appreciate all of the help that I am receiving. I have still not been
> successful in resolving this.
>
> I removed the line:
> Require valid-user
>
> I have tried using:
> ?samAccountName?sub?(objectClass=*)
> Instead of:
> ?samAccountName?sub?(objectCategory=person)
>
> That is the only difference I see in my config files and the examples in
> the google hits. Yet I am still not successful in accessing the repository.
> I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because
> I am really confused as to how to proceed.
>
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC
>
>
>  From: kmra...@rockwellcollins.com To: Patricia A Moss/USA/c...@csc Cc:
> users@subversion.apache.org Date: 11/09/2010 11:13 AM Subject: Re: locking
> down access to a repository
> --
>
>
>
> Patricia A Moss  wrote on 11/09/2010 09:41:42 AM:
>
> > From: Patricia A Moss 
> > To: kmra...@rockwellcollins.com
> > Cc: users@subversion.apache.org
> > Date: 11/09/2010 09:41 AM
> > Subject: Re: locking down access to a repository
> >
> >
> > >I don't think you want the "Require valid-user" line, since by
> > default it uses
> > >ANY of the Require lines as matches.  (And in your case valid-user
> > matches all
> > >users so it doesn't care you are also specifying a group and an user.)
> >
> > But if I remove that line then no one can access the repository.
>
> I think you also may need to be less specific with your ldapurl (remove the
> objectclass or use * ??):
> (Assuming active directory, this is like what I have used in the past)
>
>  AuthLDAPURL "ldap://
> ad.example.com/ou=group,dc=example,dc=com?sAMAccountName"
>  AuthLDAPGroupAttribute member
>  Require ldap-group ...
>
> It has been quite awhile since I used ldap groups instead of authz files...
>
> This first google hit has some examples:
> *
> **
> http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication
> *
>
> As does this one:
> *
> **
> http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36
> *
>
> Kevin R.
>
>
Although this is probably better suited for the apache/mod_ldap list, I'll
attempt to help.

do your domain controllers support unencrypted binds (very dangerous)?
can you supply any apache/AD debug logs?
can you supply versions of apache/mod_ldap?
can you describe anything that is knows to be working?


...this should be pretty straight forward to troubleshoot if you give us
some useful information to work with.

I speak without a full understanding of the lists user base, but I bet none
of them can or ever will be able to read the minds of the end user with a
problem (let alone know how their systems are configured). If there is such
a wonderful beasty, I'd be mighty interested in meeting them.



/OSG

Re: locking down access to a repository

2010-11-09 Thread opensrcguru 
On Tue, Nov 9, 2010 at 7:12 AM, Patricia A Moss  wrote:
>
> I think this is the correct mailing list for this question.
>
> I am LDAP authenticating against 2 domain controllers; in 2 different
> locations.
> I thought that I was locking down each repository to allow only users,
> included in a specific AD group, to have read/write access to a repository.
> I say supposedly because apparently the second part is not working.  Right
> now, anyone can access any repository. Can someone lend a hand in figuring
> out what I have done wrong, or need to do?
> Here is what I have:
> I've configured my ldap aliases as follows:
> 
>         AuthLDAPBindDN FCGNET\svnuser
>         AuthLDAPBindPassword x
>         AuthLDAPURL
> ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?
> (objectCategory=person)
> 
> 
>         AuthLDAPBindDN "CN=fcgvuser,OU=Service
> Accounts,OU=Users,OU=Production,DC
> =vdc,DC=csc,DC=com"
>         AuthLDAPBindPassword xxx
>         AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa
> mAccountName?sub?(objectCategory=person)
> 
>
> Then in each, specific repositorry configuration file, I have the following:
> 
> dav svn
> SVNPath /disk01/home/FDCertifications
> AuthType Basic
> AuthBasicProvider ldap-FCGNET ldap-VIET
> AuthzLDAPAuthoritative off
> AuthName "CSC Subversion Repository"
> Require valid-user
> Require ldap-group CN=PRJ FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com
> Require ldap-user pmoss
> 
>
> I thought the "Require ldap-group" line locked access down to allow only the
> users in the group access to the repo.  That is not the case though.
> Everyone can access any repository; as long as they have an FCGNET account.
>
> I tried adding the AuthnProviderAlias lines to each config file, but I get
> an error because it only needs to be defined once.
> I tried removing the "Require valid-user" line; but that then doesn't allow
> any access.
> Have any clues what I am doing wrong?  Thanks.
>
>
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC


First. LDAP (authentication) is only 1/2 of the big picture. You will
still need configure authorization on the repo's themselves.

These may be of assistance in configuring authorization (depending on
your needs):
http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.httpd.authz
http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.pathbasedauthz

Second, Its hard to help troubleshoot when you don't provide useful
information or a direct question. Was there  something you needed help
with? I didnt see any questions other than "Can someone lend a hand in
figuring out what I have done wrong, or need to do?"


kind regards,


OSG

svnsync checksum error

2010-11-05 Thread opensrcguru 
List,

I've got about 20 repos that have been successfully syncing (with
svnsync) to two read only copies for a few months. The r/w copy and
both r/o copies are located on a local LAN (different subnets
separated by firewalls).

Today, the sync process started failing on 1 repo (all others were
unaffected) on both r/o copies at the exact same time/same revision
with errors similar to the following...

Transmitting file data .svnsync: Base checksum mismatch on
'/path/to/file/foo/bar':
   expected:  2f2e025c4c4855e7466799a877b3e23d
 actual:  272214b9518d352e16e7eeceeb22f573

I successfully removed the uncommitted transactions (svnadmin rmtxns
reponame `svnadmin lstxns reponame`) and attempted the  re-sync,  to
no avail.

svnadmin verify returned no errors

I ended up  re-creating the r/o repo and then re-syncing all 65k
commits to the repos (which takes a while...)

Software binaries from Collabnet:
r/w version = svn/svnsync, version 1.6.13 (r1002816)
r/o 1 version = svn/svnsync, version 1.6.13 (r1002816)
r/o 2 version = svn/svnsync, version 1.6.13 (r1002816)

Is there a better approach to resolving the issue
Am I running into a known issue?


Any help/insight would be greatly appreciated.


OSG