> But if I remove that line then no one can access the repository Most likely because something else in the configuration isn't quite right... I would suggest setting things up and testing with one LDAP server at a time to verify the configuration of each before trying to combine them. <Location /svn> AuthName "Subversion Server" AuthType Basic AuthBasicAuthoritative On AuthBasicProvider ldap # If ldap checks are used with non-ldap ("valid-user"), set this to off AuthzLDAPAuthoritative off AuthLDAPURL ldaps://gc.company.com:3269/DC=domain,DC=comp,DC=company,DC=com?sAMAccountName?sub?(objectCategory=user) AuthLDAPBindDN CN=ADMIN,OU=Users,DC=domain,DC=comp,DC=company,DC=com AuthLDAPBindPassword pa$$w0rd </Location>
<Location /svn/bu/repo1> DAV svn SVNPath /Repositories/bu/repo1 SVNPathAuthz off #1 The following users/groups will have read-write permission Require ldap-group CN=REPO1_USERS,OU=Groups,DC=domain,DC=comp,DC=company,DC=com Require ldap-group CN=Admins,OU=Groups,DC=domain,DC=comp,DC=company,DC=com Require ldap-user someid <Limit GET PROPFIND OPTIONS REPORT> #2 For any read-only operation, allow these additional users/groups Require valid-user </Limit> </Location> I know this works. After the "#1" line, add "Require" directives for all the groups/users that should read-write access. After the "#2" line, add any "Require" directives for any groups/users that should also have read-only access. In this example, "Require valid-user" is used to mean that any authenticated user has read-only access to the repository. The first Location block must come first; repeat the second Location block as many times as necessary for each repository. ________________________________ From: Patricia A Moss [mailto:pmo...@csc.com] Sent: Tuesday, November 09, 2010 9:42 AM To: kmra...@rockwellcollins.com Cc: users@subversion.apache.org Subject: Re: locking down access to a repository >I don't think you want the "Require valid-user" line, since by default it uses >ANY of the Require lines as matches. (And in your case valid-user matches all >users so it doesn't care you are also specifying a group and an user.) But if I remove that line then no one can access the repository. PATI MOSS System Engineer Sr. Professional CSC From: kmra...@rockwellcollins.com To: Patricia A Moss/USA/c...@csc Cc: users@subversion.apache.org Date: 11/09/2010 10:38 AM Subject: Re: locking down access to a repository ________________________________ Stefan Sperling <s...@elego.de> wrote on 11/09/2010 08:34:37 AM: > > I've configured my ldap aliases as follows: > > <AuthnProviderAlias ldap ldap-FCGNET> > > AuthLDAPBindDN FCGNET\svnuser > > AuthLDAPBindPassword xxxxxxxxx > > AuthLDAPURL > > ldap://xxxxxx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub? > > (objectCategory=person) > > </AuthnProviderAlias> > > <AuthnProviderAlias ldap ldap-VIET> > > AuthLDAPBindDN "CN=fcgvuser,OU=Service > > Accounts,OU=Users,OU=Production,DC > > =vdc,DC=csc,DC=com" > > AuthLDAPBindPassword xxxxxxxxxxx > > AuthLDAPURL ldap://xxxxx.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa > > mAccountName?sub?(objectCategory=person) > > </AuthnProviderAlias> > > > > Then in each, specific repositorry configuration file, I have the > > following: > > <Location /FDCertifications> > > dav svn > > SVNPath /disk01/home/FDCertifications > > AuthType Basic > > AuthBasicProvider ldap-FCGNET ldap-VIET > > AuthzLDAPAuthoritative off > > AuthName "CSC Subversion Repository" > > Require valid-user > > Require ldap-group CN=PRJ > > FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com > > Require ldap-user pmoss > > </Location> I don't think you want the "Require valid-user" line, since by default it uses ANY of the Require lines as matches. (And in your case valid-user matches all users so it doesn't care you are also specifying a group and an user.) Kevin R. -----Message Disclaimer----- This e-mail message is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply email to conn...@principal.com and delete or destroy all copies of the original message and attachments thereto. Email sent to or from the Principal Financial Group or any of its member companies may be retained as required by law or regulation. Nothing in this message is intended to constitute an Electronic signature for purposes of the Uniform Electronic Transactions Act (UETA) or the Electronic Signatures in Global and National Commerce Act ("E-Sign") unless a specific statement to the contrary is included in this message. While this communication may be used to promote or market a transaction or an idea that is discussed in the publication, it is intended to provide general information about the subject matter covered and is provided with the understanding that The Principal is not rendering legal, accounting, or tax advice. It is not a marketed opinion and may not be used to avoid penalties under the Internal Revenue Code. You should consult with appropriate counsel or other advisors on all matters pertaining to legal, tax, or accounting obligations and requirements.