Re: svnsync checksum error
On Wed, Nov 10, 2010 at 10:49 AM, Daniel Shahaf d...@daniel.shahaf.name wrote: OSG wrote on Tue, Nov 09, 2010 at 20:58:53 -0600: On 11/09/2010 06:41 PM, Daniel Shahaf wrote: Edward Ned Harvey wrote on Sat, Nov 06, 2010 at 20:29:18 -0400: From: opensrcguru [mailto:opensrcg...@gmail.com] Today, the sync process started failing on 1 repo (all others were unaffected) on both r/o copies at the exact same time/same revision with errors similar to the following... Transmitting file data .svnsync: Base checksum mismatch on '/path/to/file/foo/bar': expected: 2f2e025c4c4855e7466799a877b3e23d actual: 272214b9518d352e16e7eeceeb22f573 Can you compare the contents of /path/to/file/foo/bar between the master and mirror, as of the last revision successfully synced to the mirror? Yes, I had done that and yes, the last sync'd revs were in tact and accurate. So they are textually identical? Yes. Can you compare their checksums to the two checksums in the error message? I hadn't yet, but I can. What is being used to perform the sum (md5/sha1/???)? If you create a fresh mirror and svnsync it, from r0 to that revision, does the file /path/to/file/foo/bar in the fresh mirror differ from the one in the master? No, a resync from r0 to current does not result in any differences. Meaning, a fresh resync is successful and doesn't cause any error messages? Or meaning, it results in the same error messages as before? Correct. A new/fresh resync from r0 (including the previously troubled revision) to latest completes successfully with no errors. That process was the last in my troubleshooting process and is how I worked around the problem. -- In my case, I do not believe it to be hardware related because I had two r/o copies that exhibited the same behavior at the same rev at the same time. That is, unless there was a hardware issue on the source copy. Although possible, pretty unlikely.
Re: locking down access to a repository
On Tue, Nov 9, 2010 at 7:12 AM, Patricia A Moss pmo...@csc.com wrote: I think this is the correct mailing list for this question. I am LDAP authenticating against 2 domain controllers; in 2 different locations. I thought that I was locking down each repository to allow only users, included in a specific AD group, to have read/write access to a repository. I say supposedly because apparently the second part is not working. Right now, anyone can access any repository. Can someone lend a hand in figuring out what I have done wrong, or need to do? Here is what I have: I've configured my ldap aliases as follows: AuthnProviderAlias ldap ldap-FCGNET AuthLDAPBindDN FCGNET\svnuser AuthLDAPBindPassword x AuthLDAPURL ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub? (objectCategory=person) /AuthnProviderAlias AuthnProviderAlias ldap ldap-VIET AuthLDAPBindDN CN=fcgvuser,OU=Service Accounts,OU=Users,OU=Production,DC =vdc,DC=csc,DC=com AuthLDAPBindPassword xxx AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa mAccountName?sub?(objectCategory=person) /AuthnProviderAlias Then in each, specific repositorry configuration file, I have the following: Location /FDCertifications dav svn SVNPath /disk01/home/FDCertifications AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName CSC Subversion Repository Require valid-user Require ldap-group CN=PRJ FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss /Location I thought the Require ldap-group line locked access down to allow only the users in the group access to the repo. That is not the case though. Everyone can access any repository; as long as they have an FCGNET account. I tried adding the AuthnProviderAlias lines to each config file, but I get an error because it only needs to be defined once. I tried removing the Require valid-user line; but that then doesn't allow any access. Have any clues what I am doing wrong? Thanks. PATI MOSS System Engineer Sr. Professional CSC First. LDAP (authentication) is only 1/2 of the big picture. You will still need configure authorization on the repo's themselves. These may be of assistance in configuring authorization (depending on your needs): http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.httpd.authz http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.pathbasedauthz Second, Its hard to help troubleshoot when you don't provide useful information or a direct question. Was there something you needed help with? I didnt see any questions other than Can someone lend a hand in figuring out what I have done wrong, or need to do? kind regards, OSG
Re: locking down access to a repository
On Tue, Nov 9, 2010 at 12:54 PM, Patricia A Moss pmo...@csc.com wrote: I appreciate all of the help that I am receiving. I have still not been successful in resolving this. I removed the line: Require valid-user I have tried using: ?samAccountName?sub?(objectClass=*) Instead of: ?samAccountName?sub?(objectCategory=person) That is the only difference I see in my config files and the examples in the google hits. Yet I am still not successful in accessing the repository. I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because I am really confused as to how to proceed. PATI MOSS System Engineer Sr. Professional CSC From: kmra...@rockwellcollins.com To: Patricia A Moss/USA/c...@csc Cc: users@subversion.apache.org Date: 11/09/2010 11:13 AM Subject: Re: locking down access to a repository -- Patricia A Moss pmo...@csc.com wrote on 11/09/2010 09:41:42 AM: From: Patricia A Moss pmo...@csc.com To: kmra...@rockwellcollins.com Cc: users@subversion.apache.org Date: 11/09/2010 09:41 AM Subject: Re: locking down access to a repository I don't think you want the Require valid-user line, since by default it uses ANY of the Require lines as matches. (And in your case valid-user matches all users so it doesn't care you are also specifying a group and an user.) But if I remove that line then no one can access the repository. I think you also may need to be less specific with your ldapurl (remove the objectclass or use * ??): (Assuming active directory, this is like what I have used in the past) AuthLDAPURL ldap:// ad.example.com/ou=group,dc=example,dc=com?sAMAccountName AuthLDAPGroupAttribute member Require ldap-group ... It has been quite awhile since I used ldap groups instead of authz files... This first google hit has some examples: * ** http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication *http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication As does this one: * ** http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36 *http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36 Kevin R. Although this is probably better suited for the apache/mod_ldap list, I'll attempt to help. do your domain controllers support unencrypted binds (very dangerous)? can you supply any apache/AD debug logs? can you supply versions of apache/mod_ldap? can you describe anything that is knows to be working? ...this should be pretty straight forward to troubleshoot if you give us some useful information to work with. I speak without a full understanding of the lists user base, but I bet none of them can or ever will be able to read the minds of the end user with a problem (let alone know how their systems are configured). If there is such a wonderful beasty, I'd be mighty interested in meeting them. /OSG
Re: locking down access to a repository
On Tue, Nov 9, 2010 at 1:40 PM, Patricia A Moss pmo...@csc.com wrote: I've tried twice to reply to your first response. I am not sure why it is not posting. I am going to try again. First. LDAP (authentication) is only 1/2 of the big picture. You will still need configure authorization on the repo's themselves. I have done this already. I have a separate configuration file for each repository. That looks like this: Location /RepositoryName dav svn SVNPath /disk01/home/RepositoryName AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName CSC Subversion Repository Require valid-user Require ldap-group CN=ADGroupName,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss /Location I have defined the LDAP Aliases in the very first repository configuration file; as such: AuthnProviderAlias ldap ldap-FCGNET AuthLDAPBindDN FCGNET\svnuser AuthLDAPBindPassword x AuthLDAPURL ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person) /AuthnProviderAlias AuthnProviderAlias ldap ldap-VIET AuthLDAPBindDN CN=fcgvuser,OU=Service Accounts,OU=Users,OU=Production,DC=vdc,DC=csc,DC=com AuthLDAPBindPassword xxx AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?samAccountName?sub?(objectCategory=person) /AuthnProviderAlias Second, Its hard to help troubleshoot when you don't provide useful information or a direct question. Was there something you needed help with? I didnt see any questions other than Can someone lend a hand in figuring out what I have done wrong, or need to do? I think that I have 2 separate issues: 1. I need to lock down access so that only the users in the associated AD group have access to the repository. 2. I need to be able to allow just my user account access to the repositories, without having to be added to all of the AD groups. Right now; All, valid, users can access all repositories, whether they are a member of the Active Directory group or not. When I remove the Require valid-user line then no one, including the members of the Active Directory group, can access the repository. PATI MOSS System Engineer Sr. Professional CSC From: opensrcguru opensrcg...@gmail.com To: users@subversion.apache.org Date: 11/09/2010 02:12 PM Subject: Re: locking down access to a repository On Tue, Nov 9, 2010 at 12:54 PM, Patricia A Moss pmo...@csc.com wrote: I appreciate all of the help that I am receiving. I have still not been successful in resolving this. I removed the line: Require valid-user I have tried using: ?samAccountName?sub?(objectClass=*) Instead of: ?samAccountName?sub?(objectCategory=person) That is the only difference I see in my config files and the examples in the google hits. Yet I am still not successful in accessing the repository. I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because I am really confused as to how to proceed. PATI MOSS System Engineer Sr. Professional CSC From: kmra...@rockwellcollins.com To: Patricia A Moss/USA/c...@csc Cc: users@subversion.apache.org Date: 11/09/2010 11:13 AM Subject: Re: locking down access to a repository Patricia A Moss pmo...@csc.com wrote on 11/09/2010 09:41:42 AM: From: Patricia A Moss pmo...@csc.com To: kmra...@rockwellcollins.com Cc: users@subversion.apache.org Date: 11/09/2010 09:41 AM Subject: Re: locking down access to a repository I don't think you want the Require valid-user line, since by default it uses ANY of the Require lines as matches. (And in your case valid-user matches all users so it doesn't care you are also specifying a group and an user.) But if I remove that line then no one can access the repository. I think you also may need to be less specific with your ldapurl (remove the objectclass or use * ??): (Assuming active directory, this is like what I have used in the past) AuthLDAPURL ldap://ad.example.com/ou=group,dc=example,dc=com?sAMAccountName; AuthLDAPGroupAttribute member Require ldap-group ... It has been quite awhile since I used ldap groups instead of authz files... This first google hit has some examples: http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication As does this one: http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36 Kevin R. Although this is probably better suited for the apache/mod_ldap list, I'll attempt to help. do your domain controllers support unencrypted binds (very dangerous)? can you supply any apache/AD debug logs? can you supply versions of apache/mod_ldap? can you describe anything that is knows to be working? ...this should be pretty straight forward to troubleshoot if you give us some useful information to work with. I
svnsync checksum error
List, I've got about 20 repos that have been successfully syncing (with svnsync) to two read only copies for a few months. The r/w copy and both r/o copies are located on a local LAN (different subnets separated by firewalls). Today, the sync process started failing on 1 repo (all others were unaffected) on both r/o copies at the exact same time/same revision with errors similar to the following... Transmitting file data .svnsync: Base checksum mismatch on '/path/to/file/foo/bar': expected: 2f2e025c4c4855e7466799a877b3e23d actual: 272214b9518d352e16e7eeceeb22f573 I successfully removed the uncommitted transactions (svnadmin rmtxns reponame `svnadmin lstxns reponame`) and attempted the re-sync, to no avail. svnadmin verify returned no errors I ended up re-creating the r/o repo and then re-syncing all 65k commits to the repos (which takes a while...) Software binaries from Collabnet: r/w version = svn/svnsync, version 1.6.13 (r1002816) r/o 1 version = svn/svnsync, version 1.6.13 (r1002816) r/o 2 version = svn/svnsync, version 1.6.13 (r1002816) Is there a better approach to resolving the issue Am I running into a known issue? Any help/insight would be greatly appreciated. OSG