Ldap – How to configure Subversion Edge to use LDAP Groups for authentication

ldapsubversion-edge

I'd like to make use of LDAP groups in my Subversion Edge "Repository Access Rules".

For example, if LDAP user smokris is a member of LDAP group dev, I'd like to be able to grant the dev group access to test-repository, without having to explicitly add each member of group dev to the Repository Access Rules.

What's the syntax for that?

I tried:

[test-repository:/]
dev=rw

[/]
*=

…but user smokris is denied access.

Best Answer

Download https://bitbucket.org/whitlockjc/jw-tools.

Create an executable script like the following (substitute in your directories and LDAP configuration):

#!/bin/bash

CSVN_DIR=/home/csvn
JW_TOOLS_DIR=/home/csvn/jw-tools

# truncate the access file after the generated-content tag
perl -0777 -pe 's/\n\n\n### Start generated content.*//s' \
    < $CSVN_DIR/data/conf/svn_access_file \
    > $CSVN_DIR/data/conf/svn_access_file.tmp

# append the latest LDAP group configuration
$JW_TOOLS_DIR/sync_ldap_groups_to_svn_authz/sync_ldap_groups_to_svn_authz.py \
    --url="..." \
    --bind-dn="..." --bind-password="..." \
    --base-dn="..." \
    --group-query="objectClass=posixGroup" \
    --group-member-attribute="memberUid" \
    --user-query="objectClass=posixAccount" \
    --userid_attribute="uid" \
    --quiet \
    | grep -v '^\[groups\]' \
    >> $CSVN_DIR/data/conf/svn_access_file.tmp

mv -f $CSVN_DIR/data/conf/svn_access_file.tmp $CSVN_DIR/data/conf/svn_access_file

Run the script periodically from cron:

0 * * * * ~/update-ldap-groups

Related Solutions

Ldap – Authenticating Nested Groups in LDAP

What application are you trying to configure.

There large majority of application that have some level of LDAP support as an LDAP client, simply have no support for nested groups.

Short of modifying the software, you may be out of luck.

If your LDAP server happens to be Microsoft Active Directory, then there is a non-standard search filter, that may help you.

See: - http://support.microsoft.com/kb/914828 - http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx

The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to provide a method to look up the ancestry of an object. Many applications using AD and AD LDS usually work with hierarchical data, which is ordered by parent-child relationships. Previously, applications performed transitive group expansion to figure out group membership, which used too much network bandwidth; applications needed to make multiple roundtrips to figure out if an object fell "in the chain" if a link is traversed through to the end.

Svn – Subversion Repository Access Rules

Subversion access control is inherited from higher levels if there isn't an explicit match at the level you want. In your case the group dtil is implicitly granted rw to the test repository since it already has rw on the parent.

If you have a model whereby most of your repositories are rw with a few restricted ones, then you have to take care to explicitly deny those users and groups that might have permissions higher up:

[PermissionsTest:/]
~@engineers =
* =

Clean enough in your case, but as you can imagine it'll get very messy if you've got a lot of groups and repositories to look after; having to explicitly deny access is never a good approach. I'd recommend removing that lop level * = rw default and adding it back in as a policy default only to the repositories you want to be open (Principle of least privilege). It might make your config a little bigger, but it's the safer route.

Best Answer

Related Solutions

Ldap – Authenticating Nested Groups in LDAP

Svn – Subversion Repository Access Rules

Related Topic