Le 10/10/2010 22:17, Nico Kadel-Garcia a écrit :
On Sat, Oct 9, 2010 at 3:05 PM, jehan procaccia<jehanpr...@gmail.com> wrote:
Le 09/10/2010 20:40, Nico Kadel-Garcia a écrit :
svn+ssh is the most secure, but it conflcts with your desire for LDAP
access. The SSH keys normally live under a single user's account, the
user who owns the repository, who hsould have a locked password. You
see why this conflicts with LDAP based user information and logins?
No, I don't see why it conflicts ?
here's again my scenario,
1) I set and manage all repositories with a unique local unix account (for
example username svn !), that account issues all "svn create" and owns the
repos filesystem directories
2) enable the server to resolve ldapusers (pam& nss ldap), so that the
--tunnel-user=ldapusername option (see 3 below) works.
Right, all LDAP based. So rar, so good, this can be woven into the
HTTPS access or, conceivably, into the svnserve based access, although
I've never seen it done.
No, I don't want to use only HTTPS, if it's served only by HTTPS then i
must use svn + https URLs, then I come into the problem of re-entering
ldap password at each svn command (back to the "rant" of this weekend
;-) ...) .
I want to stick with svn+ssh just because that will allow my clients to
use svn without re-auth at each commands.
As long as their key is in the unique svn manager authorized_key file,
users won't have to enter a password.
I need ldap (nss+pam) on the svn server though, to enable the system to
resolve ldapusername for the
--tunnel-user=ldapusername
option of command "svnserve" , so that authz do resolve username and
hence restrict acces to users allowed to a specific repository .
3) then add ldap users public ssh keys to the ~.ssh/authorized_keys of that
unique svn manager account as in :
"command="svnserve -t --tunnel-user=ldapusername"ssh_rsa KEYXXXXX...
COMMENT"
The sysadmin (me ) will have to find a way to push ldapusers public keys to
that unique svn manager (script/CGI ...)
This is an entirely distinct access technology. It contains not a
single fleck of LDAP in it it, except perhaps to publish the user
account information for the "svn manager account".
this is svn+ssh, in the svn manager authorized_key file I will have for
each of my ldapusernames a line:
"command="svnserve -t --tunnel-user=ldapusername"ssh_rsa KEYXXXXX...
which will issue a svn process on the server for that specific ldapuser
(owner of the private key pair of that public key) => hence allow authZ
acces to his repo .
Anything wrong in that scenario ?
Wrong, no, just confused. Steps 1 and 2 have nothing to do with step 3
and can be entirely discarded.
I think you misunderstood my scenario, here step 3 is the following
step 1 & 2 because I choosed svn+ssh !.
regards .
Ps: I'll have to test all these though .... just wanted to be reassured
that the scenario is not foolish ?