问题
If I was doing this from scratch, I would have made this two separate repositories. Unfortunately, I have to make do with what is there.
Our repository looks like this:
/trunk
/tags
/branches
/secret/trunk
/secret/tags
/secret/branches
I have my SVN configuration setup like this:
<Location /gorp>
DAV svn
SVNPath /mnt/svn/repositories/gorp
AuthType basic
AuthName "Vegicorp Repostitory"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPUrl "ldap://ldap.vegicorp.net:389/DC=vegicorp,DC=NET?sAMAccountName" NONE
AuthLDAPBindDN "CN=ldap-read,,OU=Users,OU=vegicorp,DC=vegicorp,DC=net"
AuthLDAPBindPassword swordfish
Require ldap-group CN=Development,OU=Groups,OU=vegicorp,DC=vegicorp,DC=net
AuthzSVNAccessFile /opt/CollabNet_Subversion/repos_path_access/gorp
</Location>
This works great. All users in the LDAP group Development has access to our repository. However, not all developers should be able to even see the secret directory. Instead, I only want users in the cabal LDAP group to be able to access it.
And, I have my file gorp under the above repos_path_access access directory look like this:
[/]
* = r
[/trunk]
* = rw
[/branches]
* = rw
[/tags]
* = rw
[/secret]
dvadar = rw
cpalpatine = rw
glucas = rw
* =
So far, so good. My cabal group users, dvadar, cpalpatine, and glucas, have access to the /secret directory in my repository, and no one else even sees it. However, as people come and go, I have to manually change this path based access file. What I would like to do is have my path-based access give everyone in cabal access and hide it for everyone else:
[/]
* = r
[/trunk]
* = rw
[/branches]
* = rw
[/tags]
* = rw
[/secret]
@cabal = rw
* =
This does not work. Instead, I see this in my logs:
Tue Sep 03 11:30:50 2013] [error] [client 10.55.9.217] \
Failed to load the AuthzSVNAccessFile: An authz rule refers to group '@cabal'
What is the best way to give my cabal group access to secret without the rest of my developers seeing this directory?
回答1:
Obvious way:
Define cabal group members in AuthzSVNAccessFile.
- You can do it by hand (edit members every time, when membership change)
- You can find and use LDAP-to-Authz sync-script (mentioned here, on SO somewhere) for updating
@cabalwhenCN=cabalchanged in LDAP
Tricky way
- You can add additional
<Location /gorp/secret>with changedRequire ldap-groupdirective and maintain group entirely in LDAP
回答2:
I didn't find any of the current projects for syncing SVN authz with LDAP working satisfactory so I created a new one.
It's available here: https://github.com/rbw0/authzync
And yes, I'm aware this is an old post. But users searching for a solution to this are likely to end up here.
回答3:
I have something very similar to your question which should fully answer it:
@ZTE_OHSAS_administrators = rw
~@ZTE_OHSAS_administrators =
That one should work
¡Cheers!
来源:https://stackoverflow.com/questions/18597733/setting-up-subversion-repo-using-ldap-groups-in-svn-access-file