I don't know if I replied correctly the first time: >First. LDAP (authentication) is only 1/2 of the big picture. You will >still need configure authorization on the repo's themselves.
I have done that. Each repo have it's own configuration file. That is this portion: <Location /repository_name> dav svn SVNPath /disk01/home/repository_name AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName "CSC Subversion Repository" Require valid-user Require ldap-group CN=AD Goup Name,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss </Location> >Second, Its hard to help troubleshoot when you don't provide useful >information or a direct question. Was there something you needed help >with? I didnt see any questions other than "Can someone lend a hand in >figuring out what I have done wrong, or need to do?" 1. I need to be able to lock down each repository to allow only the users, within the associated AD group, to have access to the repository. 2. At the same time I need to be able to allow my, single, user account access to the repositories, without having to be added to every AD group. I have not done that successfully. Right now all users can access all repositories, What I have tried so far: I thought the "Require ldap-group" line locked access down to allow only the users in the group access to the repo. That is not the case. I tried adding the AuthnProviderAlias lines to each config file, but I get an error because it only needs to be defined once. So, I added the lines to the very first repository configuration file. I tried removing the "Require valid-user" line; but that then doesn't allow any access at all. PATI MOSS System Engineer Sr. Professional CSC 575 E. Swedesford Road, Suite 300, Wayne, PA 19464 GIS | p: 610.989.7105 | f: 610.989.7100 | pmo...@csc.com | www.csc.com This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. From: opensrcguru <opensrcg...@gmail.com> To: Patricia A Moss/USA/c...@csc Date: 11/09/2010 09:22 AM Subject: Re: locking down access to a repository On Tue, Nov 9, 2010 at 7:12 AM, Patricia A Moss <pmo...@csc.com> wrote: > > I think this is the correct mailing list for this question. > > I am LDAP authenticating against 2 domain controllers; in 2 different > locations. > I thought that I was locking down each repository to allow only users, > included in a specific AD group, to have read/write access to a repository. > I say supposedly because apparently the second part is not working. Right > now, anyone can access any repository. Can someone lend a hand in figuring > out what I have done wrong, or need to do? > Here is what I have: > I've configured my ldap aliases as follows: > <AuthnProviderAlias ldap ldap-FCGNET> > AuthLDAPBindDN FCGNET\svnuser > AuthLDAPBindPassword xxxxxxxxx > AuthLDAPURL > ldap://xxxxxx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub? > (objectCategory=person) > </AuthnProviderAlias> > <AuthnProviderAlias ldap ldap-VIET> > AuthLDAPBindDN "CN=fcgvuser,OU=Service > Accounts,OU=Users,OU=Production,DC > =vdc,DC=csc,DC=com" > AuthLDAPBindPassword xxxxxxxxxxx > AuthLDAPURL ldap://xxxxx.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa > mAccountName?sub?(objectCategory=person) > </AuthnProviderAlias> > > Then in each, specific repositorry configuration file, I have the following: > <Location /FDCertifications> > dav svn > SVNPath /disk01/home/FDCertifications > AuthType Basic > AuthBasicProvider ldap-FCGNET ldap-VIET > AuthzLDAPAuthoritative off > AuthName "CSC Subversion Repository" > Require valid-user > Require ldap-group CN=PRJ FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com > Require ldap-user pmoss > </Location> > > I thought the "Require ldap-group" line locked access down to allow only the > users in the group access to the repo. That is not the case though. > Everyone can access any repository; as long as they have an FCGNET account. > > I tried adding the AuthnProviderAlias lines to each config file, but I get > an error because it only needs to be defined once. > I tried removing the "Require valid-user" line; but that then doesn't allow > any access. > Have any clues what I am doing wrong? Thanks. > > > > PATI MOSS > System Engineer Sr. Professional > CSC First. LDAP (authentication) is only 1/2 of the big picture. You will still need configure authorization on the repo's themselves. These may be of assistance in configuring authorization (depending on your needs): http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.httpd.authz http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.pathbasedauthz Second, Its hard to help troubleshoot when you don't provide useful information or a direct question. Was there something you needed help with? I didnt see any questions other than "Can someone lend a hand in figuring out what I have done wrong, or need to do?" kind regards, OSG
