Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive

[Kedar Sirshikar (ksirshik)]

Hi team,

I need some help on integration of SVN, Apache and LDAP.

 

Currently we are using ‘/var/www/svn/users-access-file’ to store SVN admin users.

Problem with this approach is if new admin users are added in LDAP then we have to change above file as well (for adding new users).

Also, storing user names in ‘/var/www/svn/users-access-file’ is always discouraged as it may violate security.

 

So, is there any way I can avoid using ‘/var/www/svn/users-access-file’ and achieve read/write access to SVN based on groups of LDAP users?

I am also investing but as I am new to this area so your help may improve my investigation.

 

System Details are as below:

CentOS release 6.8 (Final)

httpd-2.2.15-54.el6.centos.x86_64

 

Regards,

Kedar.

[Branko Čibej]

On 04.08.2017 18:39, Kedar Sirshikar (ksirshik) wrote:

Hi team,

I need some help on integration of SVN, Apache and LDAP.

 

Currently we are using ‘/var/www/svn/users-access-file’ to store SVN admin users.

Problem with this approach is if new admin users are added in LDAP then we have to change above file as well (for adding new users).

Also, storing user names in ‘/var/www/svn/users-access-file’ is always discouraged as it may violate security.

 

So, is there any way I can avoid using ‘/var/www/svn/users-access-file’ and achieve read/write access to SVN based on groups of LDAP users?

I am also investing but as I am new to this area so your help may improve my investigation.

Yes, this is easily done; here's an example of the access part of the httpd config file (for httpd 2.4.x):

        <RequireAll>
            Require valid-user
            <Limit HEAD GET OPTIONS PROPFIND REPORT>
                <RequireAny>
                    # Read access
                    Require ldap-group cn=svn.admin,ou=group,dc=example,dc=com
                    Require ldap-group cn=svn.readonly,ou=group,dc=example,dc=com
                </RequireAny>
            </Limit>
            <LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
                <RequireAny>
                    # Write access
                    Require ldap-group cn=svn.admin,ou=group,dc=example,dc=com
                </RequireAny>                   
            </LimitExcept>
        </RequireAll>

-- Brane

[Kedar Sirshikar (ksirshik)]

Hi Brane,

Thank you for reply.

 

I am providing some inputs about my experiement as of now.

I am using ‘httpd-2.2.15-54.el6.centos.x86_64’ httpd.

I have attached ldif file and ‘/etc/httpd/conf.d/subversion.conf’ files for your reference.

I have also attached ‘sssd.conf’ (to interact with LDAP).

 

Still I have not been able to grant read access to gidNumber: 500 and read/write access to gidNumber: 491 from ldap.

Do you see any obvious issue in attached files? Your advice will be a great help!

 

Regards,

Kedar.

[Branko Čibej]

On 07.08.2017 10:10, Kedar Sirshikar (ksirshik) wrote:
>
> Hi Brane,
>
> Thank you for reply.
>
>
>
> I am providing some inputs about my experiement as of now.
>
> I am using ‘httpd-2.2.15-54.el6.centos.x86_64’ httpd.
>
> I have attached ldif file and ‘/etc/httpd/conf.d/subversion.conf’
> files for your reference.
>
> I have also attached ‘sssd.conf’ (to interact with LDAP).
>
>
>
> Still I have not been able to grant read access to gidNumber: 500 and
> read/write access to gidNumber: 491 from ldap.
>
> Do you see any obvious issue in attached files? Your advice will be a
> great help!
>

Looks like you're missing two bits:

* the AuthLDAPGroupAttribute is probably needed
* you don't use the whole group distinguished name in the Require
lines (the common name is missing).

As far as I know, mod_ldap won't search the whole subtree for valid
group names, you have to list them explicitly.

-- Brane

[Kedar Sirshikar (ksirshik)]

Hi Brane,

I tried to follow your suggestions. Please refer attached latest version of ‘subversion.conf’

1.       I updated my subversion.conf to include ‘AuthLDAPGroupAttribute’ attribute. Its value is set to cn as cn attribute has the group name (to which user is assigned)

dn: uid=sssd_pb,ou=users,dc=sprint,dc=com

objectClass: organizationalPerson

objectClass: person

objectClass: inetOrgPerson

objectClass: top

objectClass: posixAccount

cn: cn=Admin,ou=groups,dc=sprint,dc=com

gidNumber: 491

homeDirectory: /home/qns-svn

sn: sn_sssd_pb

uid: sssd_pb

uidNumber: 491

userPassword:: e1NTSEF9Qi94UDJVK3dtbWFDQW5hRVR5ZW1uL2RnenFudnBMdlNoaUxkOFE9P

Q==

2.       I included cn in ‘Require ldap-group’ at line 43 in subversion.conf

Require ldap-group cn=Admin,ou=groups,dc=sprint,dc=com

3.       I also tried turning ‘AuthLDAPGroupAttributeIsDN’ attribute on and off.

But none of the above attempt helped me to get sssd_pb user authorized in Admin/RW role. Currently sssd_pb user gets READONLY access by default.

Is there any way I can check for logs? If I get some relevant logs, I myself can dig down more.

 

I came across below 2 urls which claim that it is not possible to get rid of AuthzSVNAccessFile directive and you must use a file to configure groups and users.

http://grokbase.com/t/subversion/users/1477dcf8yc/how-to-control-access-of-a-subversion-repo-subfolder-via-ad-groups/oldest#responses_tab_top

https://github.com/whitlockjc/sync-ldap-groups-to-svn-authz

 

Now, I am little confused about whether it is really possible (or not) to fully avoid configuring groups and user names in a separate file.

 

Brane,

Appreciate your help in advance!

Depending upon your feedback I may have to decide if to build a python script or to explore more in current experiment.

 

 

Regards,

Kedar.

[Branko Čibej]

On 02.09.2017 03:50, Kedar Sirshikar (ksirshik) wrote:

Hi Brane,

I tried to follow your suggestions. Please refer attached latest version of ‘subversion.conf’

1.       I updated my subversion.conf to include ‘AuthLDAPGroupAttribute’ attribute. Its value is set to cn as cn attribute has the group name (to which user is assigned)

AuthLDAPGroupAttribute is the name of the group's member list attribute, not the user's primary group attribute.

Is there any way I can check for logs? If I get some relevant logs, I myself can dig down more.

You should have Apache server logs available. If they're not detailed enough, you can increase the log verbosity.

I came across below 2 urls which claim that it is not possible to get rid of AuthzSVNAccessFile directive and you must use a file to configure groups and users.

http://grokbase.com/t/subversion/users/1477dcf8yc/how-to-control-access-of-a-subversion-repo-subfolder-via-ad-groups/oldest#responses_tab_top

https://github.com/whitlockjc/sync-ldap-groups-to-svn-authz

 

Now, I am little confused about whether it is really possible (or not) to fully avoid configuring groups and user names in a separate file.

That depends on what you want to do. If you only want to control read-only vs. read-write access to the whole repository, you can do that in the Apache config, as I showed you. If you want more fine-grained access control, that's what the Subversion authz file is for. If you want to do that per-user, then you will have to define users (and/or groups) in that file. And yes, there are tools out there for automatically generating user and group lists for the Subversion authz file from LDAP.

-- Brane

[Kedar Sirshikar (ksirshik)]

Thank you, Brane, for your reply.

 

I updated subversion.conf to include group’s attribute memberUid

    AuthLDAPURL ldaps://ldap_l.cisco.com:10648/dc=sprint,dc=com?hasSubordinates,objectClass?sub?uid

 

    AuthLDAPBindDN uid=admin,ou=system

    AuthLDAPBindPassword secret

 

    AuthzLDAPAuthoritative on

    AuthLDAPGroupAttributeIsDN off

    #AuthLDAPGroupAttribute cn

    AuthLDAPGroupAttribute memberUid

        #<RequireAll> 

            Require valid-user

            <Limit HEAD GET OPTIONS PROPFIND REPORT>

                #<RequireAny> 

                    # Read access 

                    Require ldap-group cn=User,ou=groups,dc=sprint,dc=com

                #</RequireAny> 

            </Limit>

            <LimitExcept HEAD GET OPTIONS PROPFIND REPORT>

                #<RequireAny> 

                    # Write access

                    Require ldap-group cn=Roles,ou=groups,dc=sprint,dc=com

                    Require ldap-attribute gidNumber=491

                    #Require ldap-group cn=Admin,ou=groups,dc=sprint,dc=com

                #</RequireAny> 

            </LimitExcept>

        #</RequireAll>

 

I have also updated screen shots for sssd_pb and Roles group. I feel there is something wrong in this ldif because of which it is still not working.

 

Output of ldapsearch is

KSIRSHIK-M-33TW:~ ksirshik$ ldapsearch -H ldaps://ldap_l.cisco.com:10648 -x -D "uid=admin,ou=system" -W -b "dc=sprint,dc=com" -s sub -a always -z 1000 "uid=sssd_pb" 

Enter LDAP Password: 

# extended LDIF

#

# LDAPv3

# base <dc=sprint,dc=com> with scope subtree

# filter: uid=sssd_pb

# requesting: ALL

#

 

# sssd_pb, Admin, groups, sprint.com

dn: uid=sssd_pb,cn=Admin,ou=groups,dc=sprint,dc=com

sn: sn_sssd_pb

cn: cn_sssd_pb

objectClass: posixAccount

objectClass: top

objectClass: inetOrgPerson

objectClass: person

objectClass: organizationalPerson

homeDirectory: /home/qns-svn

gidNumber: 491

uidNumber: 491

userPassword:: e1NTSEF9dGFPUmpYdTZ4TUxUemdmTjJVVlE3TkJiRVQwYkVqZWxTQ2V2T3c9PQ=

 =

uid: sssd_pb

 

# sssd_pb, users, sprint.com

dn: uid=sssd_pb,ou=users,dc=sprint,dc=com

sn: sn_sssd_pb

cn: cn=Admin,ou=groups,dc=sprint,dc=com

objectClass: posixAccount

objectClass: top

objectClass: inetOrgPerson

objectClass: person

objectClass: organizationalPerson

homeDirectory: /home/qns-svn

gidNumber: 491

uidNumber: 491

userPassword:: e1NTSEF9Qi94UDJVK3dtbWFDQW5hRVR5ZW1uL2RnenFudnBMdlNoaUxkOFE9PQ=

 =

uid: sssd_pb

 

# search result

search: 2

result: 0 Success

 

# numResponses: 3

# numEntries: 2

KSIRSHIK-M-33TW:~ ksirshik$

 

 

 

Regards,

Kedar.

 

From: Branko Čibej <br...@apache.org>
Organization: The Apache Software Foundation
Date: Saturday, September 2, 2017 at 5:07 AM
To: "Kedar Sirshikar (ksirshik)" <ksir...@cisco.com>, "us...@subversion.apache.org" <us...@subversion.apache.org>
Subject: Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive

 

On 02.09.2017 03:50, Kedar Sirshikar (ksirshik) wrote:

[Kedar Sirshikar (ksirshik)]

Hi Brane,

I just found out that it is still referring to ‘/var/www/svn/users-access-file’ even after removing it from subversion.conf. I also deleted ‘users-access-file’ file from ‘/var/www/svn’

I even tried commenting below line from subversion.conf but still same error.

#LoadModule authz_svn_module       modules/mod_authz_svn.so

 

In every case, I am still getting 403 error in logs:

 

[Tue Sep 05 08:11:33 2017] [error] [client 172.16.2.14] (2)No such file or directory: Failed to load the AuthzSVNAccessFile: Can't open file '/   var/www/svn/users-access-file': No such file or directory

 

I am not able to understand why it is still referring to earlier configured ‘AuthzSVNAccessFile /var/www/svn/users-access-file’ directive.

 

Regards,

Kedar.

[Branko Čibej]

On 05.09.2017 21:25, Kedar Sirshikar (ksirshik) wrote:
>
> Hi Brane,
>

> I just found out that it is still referring to
> ‘/var/www/svn/users-access-file’ even after removing it from
> subversion.conf. I also deleted ‘users-access-file’ file from
> ‘/var/www/svn’
>
> I even tried commenting below line from subversion.conf but still same
> error.
>
> #LoadModule authz_svn_module       modules/mod_authz_svn.so
>
>  
>
> In every case, I am still getting 403 error in logs:
>
>  
>
> [Tue Sep 05 08:11:33 2017] [error] [client 172.16.2.14] (2)No such
> file or directory: Failed to load the AuthzSVNAccessFile: Can't open
> file '/   var/www/svn/users-access-file': No such file or directory
>
>  
>
> I am not able to understand why it is still referring to earlier
> configured ‘AuthzSVNAccessFile /var/www/svn/users-access-file’ directive.
>

Did you change the right Apache config file? Did you restart the server
after changing it? And so on. There are so many things that could be
going wrong that it's quite hard to guess, from the data in you mails,
how to fix them.

-- Brane

[Kedar Sirshikar (ksirshik)]

Yes Brane, I changed the correct subversion configuration file (/etc/httpd/conf.d/subversion.conf) and I also restarted the server using ‘/etc/init.d/httpd restart’ command.

[Johan Corveleyn]

On Tue, Sep 5, 2017 at 11:31 PM, Kedar Sirshikar (ksirshik)
<ksir...@cisco.com> wrote:
> Yes Brane, I changed the correct subversion configuration file
> (/etc/httpd/conf.d/subversion.conf) and I also restarted the server using
> ‘/etc/init.d/httpd restart’ command.

Okay, please take a step back and look around for any missing clues on
your system (we cannot do that from here).

If I summarize correctly, you still get errors, in the httpd error
log, with "Failed to load the AuthzSVNAccessFile: Can't open file '/
var/www/svn/users-access-file': No such file or directory", even
though you removed any reference of /var/www/svn/users-access-file
from your httpd configuration (and restarted httpd).

Clearly there must be some mixup. Apache httpd or Subversion will not
guess that filename out of thin air, and try to access it out of their
own initiative. There must be some remaining reference. It's up to you
to find it. Check for other conf files that may be involved in your
httpd configuration (one conf file can import another etc.). Perhaps
you can grep around a bit.

--
Johan

[Kedar Sirshikar (ksirshik)]

Yes Johan, I will try and update you once I get some breakthrough
Thank you for your precious help.