On Wed, Dec 12, 2018 at 9:28 AM Stuempfig, Thomas <thomas.stuemp...@siemens.com> wrote: > > Hi Brane, > > sorry i cannot post the contents of VisualSVN-WinAuthz.ini file since it is > company security related. > I will take some time to setup a separate Demo LDAP, but this will take some > time. > > But basically my observation is > > 1) You have ldap group "GroupA" > 2) Within that group you have users user_a and user_b (memberOf Attribute) > > now > 3) you setup your repo authz file > ***************************** > [/] > user_a rw > GroupA rw > ***************************** > > (I explicity do not include something like Group_A=user_a,user_b and set > @Group_A rw in authz file as this would duplicate ldap definition > of Group membership) > > svnauthz gives "rw" for user_a and "Result no" for user_b > > > > my guess is that svnauthz does not evaluate the actual ldap info and ony > cares about groups defined in authz file whereas "svn --username .. ." does > authenticate with the ldap-group. If I am thinking about the svnauthz > commandline, svnauthz has no information about the ldap connection which sits > in apache httpd.conf. >
Okay, it seems there is some misunderstanding here. First of all, "core" svn does not by itself have support for LDAP groups for authorization. Indeed, it only looks at groups that are defined in the authz file itself. The VisualSVN-WinAuthz.ini file is an extra feature developed by VisualSVN, on top of "core" svn. So indeed, the svnauthz commandline tool does not know about those groups. To get some help on using / validating the VisualSVN-WinAuthz.ini file, you'll have to reach out to VisualSVN people (some of them are reading this list too, so they might be able to comment further here). -- Johan