On 8/16/2012 11:28 AM, Ben Johnson wrote: > > >> On 8/15/2012 7:45 AM, Rainer Jung wrote: >> You might be looking for the RequireAny and RequireAll container >> directives: >> >> http://httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#requireall >> >> See also >> >> httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#requireall >> >> and finally the How To >> >> http://httpd.apache.org/docs/2.4/en/howto/auth.html >> >> Regards, >> >> Rainer > > Thanks, Rainer! This is exactly what I was looking for: the ability to > implement complex authorization containers. > > That said, as I explained in my reply to Hugh (on this same subject), it > seems that the AuthzSVN module (and the directives defined in > AuthzSVNAccessFile) is taking precedence over Basic authorization > module. I found the following excerpt at > http://www.csparks.com/Subversion.xhtml : > > "The Satisfy Any directive tells Apache to allow access if either the > Allow directive is satisfied or one of the Auth modules is satified. The > "Allow from all" is always satisfied. But we have two Auth modules: > AuthzSVN and AuthDigest. In this case AuthzSVN will look into the > svnusers.conf file. If no user name is required for the requested > resource, no prompt for authentication will occur. But if a username is > required, the AuthDigest module will come into play and prompt for > credentials. The authorized name is allowed to do whatever the > AuthzSVNAccessFile permits." > > This statement seems consistent with the observed behavior. And it bears > mention that in my example directives (and those at the above-cited > resource), "require" directives come before the "AuthzSVNAccessFile" > directive, which seems to indicate that the order is irrelevant. > > Do you have any experience or advice in this regard? > > Basically, I am trying to determine how much of the access control > should be done in the <Location></Location> block and how much of it > should be done in the AuthzSVNAccessFile. My primary concern is that we > have dozens of SVN repositories and I don't want to have to define the > "[groups]" for every single repository when the groups are the same for > all of them.
I should add that I don't want to have to define every single repository, and permissions for their attendant paths, in the AuthzSVNAccessFile, either. > In fact, I would prefer to use a single AuthzSVNAccessFile that has some > very basic rules and handle all other aspects of access control in the > Location blocks in which each repository is defined. > > Does this make any sense at all? After more digging, I realize that I'm not the only one who has raised this issue: http://www.svnforum.org/threads/37237-AuthzSVNAccessFile-Require-ldap-group To quote "Tubaman": "However, it still seems a shame that the Require ldap-group directive cannot be usefully used to restrict valid users in conjunction with a more permissive AuthzSVNAccessFile (which knows nothing about the LDAP groups). Does anyone know if some sort of priority setting is planned for future releases that would enable this behaviour? Or is it actually a bug or feature that could be mentioned in the documentation?" This statement, and the lack of a response, confirms that it is not possible to implement meaningful authentication requirements, via the "Require" family of configuration directives, when at the same time using the AuthzSVNAccessFile directive. This fact is disappointing, but perfectly understandable, given the complexity of these systems. I just wanted to be sure that my request wasn't possible before accepting that there will be redundancy across numerous AuthzSVNAccessFile files. > Thanks again, > > -Ben --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
