如何限制对特定用户的Apache / SVN访问（基于LDAP /文件的身份验证）？

I have Apache/SVN running on Windows Server 2003 with authentication via LDAP/Active Directory and a flat-file.

我在Windows Server 2003上运行Apache / SVN,通过LDAP / Active Directory和平面文件进行身份验证。

It's working great except that any LDAP user can access everything. I'd like to be able to limit SVN repositories by user or group.

除了任何LDAP用户都可以访问所有内容之外,它工作得很好。我希望能够按用户或组限制SVN存储库。

Ideally, I'd get to something like this:

理想情况下,我会得到这样的东西:

<Location /svn/repo1>
  # Restricted to ldap-user1, file-user1, or members of ldap-group1,
  # all others denied
</Location>

<Location /svn/repo2>
  # Restricted to ldap-user2, file-user2, or members of ldap-group2,
  # all others denied
</Location>

The real trick might be that I have mixed authentication: LDAP and file:

真正的诀窍可能是我有混合身份验证:LDAP和文件:

<Location /svn>
  DAV svn
  SVNParentPath C:/svn_repository
  AuthName "Subversion Repository"
  AuthType Basic
  AuthBasicProvider ldap file
  AuthUserFile "svn-users.txt" #file-based, custom users
  AuthzLDAPAuthoritative On
  AuthLDAPBindDN ldapuseraccount@directory.com
  AuthLDAPBindPassword ldappassword
  AuthLDAPURL ldap://directory.com:389/cn=Users,dc=directory,dc=com?sAMAccountName?sub?(objectCategory=person)
  Require valid-user
</Location>

In my googling, I've seen some people accomplish this by pulling in the authz file like this:

在我的谷歌搜索中,我看到有些人通过像这样拉入authz文件来实现这一点:

<Location /svn>
  ...
  AuthzSVNAccessFile "conf/svn-authz.txt"
</Location

Then, I'd need to map the AD users. Any examples of that approach?

然后,我需要映射AD用户。这种方法的任何例子?

3 个解决方案

#1

This was actually a lot easier than I thought it would be. I added this to my location:

这实际上比我想象的容易得多。我把它添加到我的位置:

<Location /svn>
  ...
  AuthzSVNAccessFile "conf/svn-authz.txt"
</Location

In that file, I just specified normal SVN permissions (the system doesn't seem to distinguish between file users and LDAP users at this point):

在该文件中,我刚刚指定了正常的SVN权限(此时系统似乎没有区分文件用户和LDAP用户):

[groups]
@admin = haren

###
### Deny all but administrators to the tree
###

[/]
* =
@admin = rw


###
### Allow more specific people on a per-repository basis below
###

[repo1:/]
ldap-user1 = rw
file-user1 = rw

[repo2:/]
ldap-user2 = rw
file-user2 = rw

I'm still playing around with the LDAP group syntax to get that part working. Any suggestions there are appreciated.

我仍然在使用LDAP组语法来使该部分工作。任何建议都表示赞赏。

#2

Another alternate method for anyone else who is interested:

对于任何感兴趣的人,另一种替代方法:

Require ldap-group cn=SVN Users,cn=Users,dc=company,dc=com

This is assuming you created a group called SVN Users in Active directory. Notice that there are no double quotes around the group.

这假设您在Active Directory中创建了一个名为SVN Users的组。请注意,该组周围没有双引号。

Use that instead of Require valid-user

使用它代替Require valid-user

Then you probably don't have to restart apache anytime you have any changes, just add the user to the group in AD

然后,您可能无需在任何更改时重新启动apache,只需将用户添加到AD中的组即可

#3

You should not use

你不应该使用

Require valid-user

but use

Require group

#1