{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 放我归山 的问题《How do I restrict Apache/SVN access to specific us》','https://www.manongdao.com/q-276136.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have Apache/SVN running on Windows Server 2003 with authentication via LDAP/Active Directory and a flat-file.
It's working great except that any LDAP user can access everything. I'd like to be able to limit SVN repositories by user or group.
Ideally, I'd get to something like this:
<Location /svn/repo1>
# Restricted to ldap-user1, file-user1, or members of ldap-group1,
# all others denied
</Location>
<Location /svn/repo2>
# Restricted to ldap-user2, file-user2, or members of ldap-group2,
# all others denied
</Location>
The real trick might be that I have mixed authentication: LDAP and file:
<Location /svn>
DAV svn
SVNParentPath C:/svn_repository
AuthName "Subversion Repository"
AuthType Basic
AuthBasicProvider ldap file
AuthUserFile "svn-users.txt" #file-based, custom users
AuthzLDAPAuthoritative On
AuthLDAPBindDN ldapuseraccount@directory.com
AuthLDAPBindPassword ldappassword
AuthLDAPURL ldap://directory.com:389/cn=Users,dc=directory,dc=com?sAMAccountName?sub?(objectCategory=person)
Require valid-user
</Location>
In my googling, I've seen some people accomplish this by pulling in the authz file like this:
<Location /svn>
...
AuthzSVNAccessFile "conf/svn-authz.txt"
</Location
Then, I'd need to map the AD users. Any examples of that approach?
Another alternate method for anyone else who is interested:
This is assuming you created a group called SVN Users in Active directory. Notice that there are no double quotes around the group.
Use that instead of Require valid-user
Then you probably don't have to restart apache anytime you have any changes, just add the user to the group in AD
You should not use
but use
This was actually a lot easier than I thought it would be. I added this to my location:
In that file, I just specified normal SVN permissions (the system doesn't seem to distinguish between file users and LDAP users at this point):
I'm still playing around with the LDAP group syntax to get that part working. Any suggestions there are appreciated.