Below is my apache config for SVN: httpd.conf: <Location /repos> # mod_dav_svn configuration DAV svn SVNParentPath /opt/web/subversion/repos
# mod_authn_core configuration AuthType Basic AuthName "Authorized Developers Only" # mod_auth_basic AuthBasicProvider ldap # mod_authnz_ldap configuration # LDAP Authentication & Authorization is final; do not check other databases AuthLDAPBindAuthoritative on AuthLDAPBindDN CN=LDAPBINDSVN,OU=LDAP,DC=mycorp,DC=com AuthLDAPBindPassword [redacted] # The LDAP query URL AuthLDAPURL "ldap:// ldap.mycorp.com:3268/DC=mycorp,DC=com?sAMAccountName?sub?(objectClass=*)" # mod_authnz_svn configuration AuthzSVNAccessFile /opt/web/httpd/conf/extra/svn-access.conf Require valid-user </Location> # Access control to individual SVN repositories based on URL path. <Location /repos/webadmin> Require ldap-group CN=SVN_POC_DEVS,OU=LDAP,DC=mycorp,DC=com Require ldap-group CN=SVN_POC_MGRS,OU=LDAP,DC=mycorp,DC=com </Location> # Access control to individual SVN repositories based on URL path. <Location /repos/jenkinsAdmin> Require ldap-group CN=SVN_POC_DEVS,OU=LDAP,DC=mycorp,DC=com Require ldap-group CN=SVN_POC_MGRS,OU=LDAP,DC=mycorp,DC=com </Location> # Access control to individual SVN repositories based on URL path. <Location /repos/middlewareAutomation> Require ldap-group CN=SVN_POC_DEVS,OU=LDAP,DC=mycorp,DC=com Require ldap-group CN=SVN_POC_MGRS,OU=LDAP,DC=mycorp,DC=com </Location> ----- svn-access.conf [aliases] poc_devs = CN=SVN_POC_DEVS,OU=LDAP,DC=mycorp,DC=com poc_mgrs = CN=SVN_POC_MGRS,OU=LDAP,DC=mycorp,DC=com [groups] poc_dev = &poc_devs poc_mgr = &poc_mgrs [webadmin:/] poc_dev = rw poc_mgr = r [jenkinsAdmin:/] poc_mgr = rw poc_dev = r [middlewareAutomation:/] poc_dev = rw poc_mgr = r ----------- My ID "mhamilton" is part of the group SVN_POC_DEVS and as part of the test I am requiring that the repository access requires the user to at least be part of one of the two groups. In the above configuration I get the following error message in the apache error log file: [Fri Mar 14 10:43:10.754361 2014] [authz_svn:error] [pid 4993:tid 139652358960896] [client 172.21.48.120:59293] Access denied: 'mhamilton' GET webadmin:/ [Fri Mar 14 10:43:12.549245 2014] [authz_svn:error] [pid 4993:tid 139652379940608] [client 172.21.48.120:59293] Access denied: 'mhamilton' GET webadmin:/ [Fri Mar 14 10:43:19.994583 2014] [authz_svn:error] [pid 4993:tid 139652369450752] [client 172.21.48.120:59293] Access denied: 'mhamilton' GET jenkinsAdmin:/ [Fri Mar 14 10:43:27.922455 2014] [authz_svn:error] [pid 4993:tid 139652270913280] [client 172.21.48.120:59293] Access denied: 'mhamilton' GET middlewareAutomation:/ If I change the groups section to the following: [groups] poc_dev = mhamilton,aobst poc_mgr = jvogel,rsebaugh and the repo sections to the following: [webadmin:/] @poc_dev = rw @poc_mgr = r [jenkinsAdmin:/] @poc_mgr = rw @poc_dev = r [middlewareAutomation:/] @poc_dev = rw @poc_mgr = r It works (but only if I prefix the group names with "@" in the repo section. I tried this with the groups defined using the aliases and I get the same access denied messages. > -- Matthew Hamilton