> But if I remove that line then no one can access the repository
Most likely because something else in the configuration isn't quite right... I
would suggest setting things up and testing with one LDAP server at a time to
verify the configuration of each before trying to combine them.
<Location /svn>
AuthName "Subversion Server"
AuthType Basic
AuthBasicAuthoritative On
AuthBasicProvider ldap
# If ldap checks are used with non-ldap ("valid-user"), set this to off
AuthzLDAPAuthoritative off
AuthLDAPURL
ldaps://gc.company.com:3269/DC=domain,DC=comp,DC=company,DC=com?sAMAccountName?sub?(objectCategory=user)
AuthLDAPBindDN CN=ADMIN,OU=Users,DC=domain,DC=comp,DC=company,DC=com
AuthLDAPBindPassword pa$$w0rd
</Location>
<Location /svn/bu/repo1>
DAV svn
SVNPath /Repositories/bu/repo1
SVNPathAuthz off
#1 The following users/groups will have read-write permission
Require ldap-group
CN=REPO1_USERS,OU=Groups,DC=domain,DC=comp,DC=company,DC=com
Require ldap-group CN=Admins,OU=Groups,DC=domain,DC=comp,DC=company,DC=com
Require ldap-user someid
<Limit GET PROPFIND OPTIONS REPORT>
#2 For any read-only operation, allow these additional users/groups
Require valid-user
</Limit>
</Location>
I know this works. After the "#1" line, add "Require" directives for all the
groups/users that should read-write access. After the "#2" line, add any
"Require" directives for any groups/users that should also have read-only
access. In this example, "Require valid-user" is used to mean that any
authenticated user has read-only access to the repository.
The first Location block must come first; repeat the second Location block as
many times as necessary for each repository.
________________________________
From: Patricia A Moss [mailto:pmo...@csc.com]
Sent: Tuesday, November 09, 2010 9:42 AM
To: kmra...@rockwellcollins.com
Cc: users@subversion.apache.org
Subject: Re: locking down access to a repository
>I don't think you want the "Require valid-user" line, since by default it uses
>ANY of the Require lines as matches. (And in your case valid-user matches all
>users so it doesn't care you are also specifying a group and an user.)
But if I remove that line then no one can access the repository.
PATI MOSS
System Engineer Sr. Professional
CSC
From: kmra...@rockwellcollins.com
To: Patricia A Moss/USA/c...@csc
Cc: users@subversion.apache.org
Date: 11/09/2010 10:38 AM
Subject: Re: locking down access to a repository
________________________________
Stefan Sperling <s...@elego.de> wrote on 11/09/2010 08:34:37 AM:
> > I've configured my ldap aliases as follows:
> > <AuthnProviderAlias ldap ldap-FCGNET>
> > AuthLDAPBindDN FCGNET\svnuser
> > AuthLDAPBindPassword xxxxxxxxx
> > AuthLDAPURL
> > ldap://xxxxxx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?
> > (objectCategory=person)
> > </AuthnProviderAlias>
> > <AuthnProviderAlias ldap ldap-VIET>
> > AuthLDAPBindDN "CN=fcgvuser,OU=Service
> > Accounts,OU=Users,OU=Production,DC
> > =vdc,DC=csc,DC=com"
> > AuthLDAPBindPassword xxxxxxxxxxx
> > AuthLDAPURL ldap://xxxxx.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa
> > mAccountName?sub?(objectCategory=person)
> > </AuthnProviderAlias>
> >
> > Then in each, specific repositorry configuration file, I have the
> > following:
> > <Location /FDCertifications>
> > dav svn
> > SVNPath /disk01/home/FDCertifications
> > AuthType Basic
> > AuthBasicProvider ldap-FCGNET ldap-VIET
> > AuthzLDAPAuthoritative off
> > AuthName "CSC Subversion Repository"
> > Require valid-user
> > Require ldap-group CN=PRJ
> > FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com
> > Require ldap-user pmoss
> > </Location>
I don't think you want the "Require valid-user" line, since by default it uses
ANY of the Require lines as matches. (And in your case valid-user matches all
users so it doesn't care you are also specifying a group and an user.)
Kevin R.
-----Message Disclaimer-----
This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to conn...@principal.com and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.
Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.
While this communication may be used to promote or market a transaction
or an idea that is discussed in the publication, it is intended to provide
general information about the subject matter covered and is provided with
the understanding that The Principal is not rendering legal, accounting,
or tax advice. It is not a marketed opinion and may not be used to avoid
penalties under the Internal Revenue Code. You should consult with
appropriate counsel or other advisors on all matters pertaining to legal,
tax, or accounting obligations and requirements.
