How do I restrict Apache/SVN access to specific users (LDAP/file-based authentication)?

Question

I have Apache/SVN running on Windows Server 2003 with authentication via LDAP/Active Directory and a flat-file.

It's working great except that any LDAP user can access everything. I'd like to be able to limit SVN repositories by user or group.

Ideally, I'd get to something like this:

<Location /svn/repo1>
  # Restricted to ldap-user1, file-user1, or members of ldap-group1,
  # all others denied
</Location>

<Location /svn/repo2>
  # Restricted to ldap-user2, file-user2, or members of ldap-group2,
  # all others denied
</Location>

The real trick might be that I have mixed authentication: LDAP and file:

<Location /svn>
  DAV svn
  SVNParentPath C:/svn_repository
  AuthName "Subversion Repository"
  AuthType Basic
  AuthBasicProvider ldap file
  AuthUserFile "svn-users.txt" #file-based, custom users
  AuthzLDAPAuthoritative On
  AuthLDAPBindDN [email protected]
  AuthLDAPBindPassword ldappassword
  AuthLDAPURL ldap://directory.com:389/cn=Users,dc=directory,dc=com?sAMAccountName?sub?(objectCategory=person)
  Require valid-user
</Location>

---

In my googling, I've seen some people accomplish this by pulling in the authz file like this:

<Location /svn>
  ...
  AuthzSVNAccessFile "conf/svn-authz.txt"
</Location

Then, I'd need to map the AD users. Any examples of that approach?

Answer 1

This was actually a lot easier than I thought it would be. I added this to my location:

<Location /svn>
  ...
  AuthzSVNAccessFile "conf/svn-authz.txt"
</Location

In that file, I just specified normal SVN permissions (the system doesn't seem to distinguish between file users and LDAP users at this point):

[groups]
@admin = haren

###
### Deny all but administrators to the tree
###

[/]
* =
@admin = rw


###
### Allow more specific people on a per-repository basis below
###

[repo1:/]
ldap-user1 = rw
file-user1 = rw

[repo2:/]
ldap-user2 = rw
file-user2 = rw

I'm still playing around with the LDAP group syntax to get that part working. Any suggestions there are appreciated.

Answer 2

Another alternate method for anyone else who is interested:

Require ldap-group cn=SVN Users,cn=Users,dc=company,dc=com

This is assuming you created a group called SVN Users in Active directory. Notice that there are no double quotes around the group.

Use that instead of Require valid-user

Then you probably don't have to restart apache anytime you have any changes, just add the user to the group in AD