On Thu, Jul 29, 2010 at 8:51 AM, Nils Wilhelm <mur...@planet-of-art.de> wrote: > Hi there, > > i need your help getting an overview and configuring a subversion server. > What i have to do is setting up a subversion server using ldap and ssh. > After reading some theory about it i'm totally confused :-) So i hope you > can help me with that. > > What i have: A suse server with a working ssh connection, nothing else, i.e. > all other ports are closed. > > What my boss wants: The server should be accessed using ssh because of > security issues and the authentication (for subversion) should be managed by > ldap (other apps will use lpad either). Svnserv should be used instead of a > apache webserver extension. Round about 20 persons should have access to > subversion but should not be able to open a ssh shell connection to the > server. Is that possible? I hope anybody can give me an overview. > > Best regards > > Nils
Don't use LDAP. One problem is that it will allow multiple users filesystem access to the Subversion repository, and *SOMEONE* is likely to screw it up for everyone else by trying to manually edit something in the repository in a large environment with multiple developers. Also, remember that the UNIX and Linux clients will save passwords in clear text by default in the user's home directory. That makes your LDAP passwords vulnerable to anyone who can access home directories or backup tapes. This is a longstanding vulnerability, and there is no fix. (Subversion 1.6 does warn you before saving them, which is polite, but will still save them, which is bad.) There are reasons the 'svn+ssh' approach channels all connections through a single authorized repository owner, and uses the SSH authorized_keys set to configure the svnserve command and to set the user for committing changes; it's described in detail in the Subversion Red Book, The missing component for this approach is a tool to manage the SSH keys. If anyone has such a tool, or better a management GUI to manage such keys, please publish it.