I have Apache/SVN running on Windows Server 2003 with authentication via LDAP/Active Directory and a flat-file.
It's working great except that any LDAP user can access everything. I'd like to be able to limit SVN repositories by user or group.
Ideally, I'd get to something like this:
<Location /svn/repo1>
# Restricted to ldap-user1, file-user1, or members of ldap-group1,
# all others denied
</Location>
<Location /svn/repo2>
# Restricted to ldap-user2, file-user2, or members of ldap-group2,
# all others denied
</Location>
The real trick might be that I have mixed authentication: LDAP and file:
<Location /svn>
DAV svn
SVNParentPath C:/svn_repository
AuthName "Subversion Repository"
AuthType Basic
AuthBasicProvider ldap file
AuthUserFile "svn-users.txt" #file-based, custom users
AuthzLDAPAuthoritative On
AuthLDAPBindDN [email protected]
AuthLDAPBindPassword ldappassword
AuthLDAPURL ldap://directory.com:389/cn=Users,dc=directory,dc=com?sAMAccountName?sub?(objectCategory=person)
Require valid-user
</Location>
In my googling, I've seen some people accomplish this by pulling in the authz file like this:
<Location /svn>
...
AuthzSVNAccessFile "conf/svn-authz.txt"
</Location
Then, I'd need to map the AD users. Any examples of that approach?
This was actually a lot easier than I thought it would be. I added this to my location:
<Location /svn>
...
AuthzSVNAccessFile "conf/svn-authz.txt"
</Location
In that file, I just specified normal SVN permissions (the system doesn't seem to distinguish between file users and LDAP users at this point):
[groups]
@admin = haren
###
### Deny all but administrators to the tree
###
[/]
* =
@admin = rw
###
### Allow more specific people on a per-repository basis below
###
[repo1:/]
ldap-user1 = rw
file-user1 = rw
[repo2:/]
ldap-user2 = rw
file-user2 = rw
I'm still playing around with the LDAP group syntax to get that part working. Any suggestions there are appreciated.