Details
-
Bug
-
Resolution: Handled by Support
-
Medium
-
None
-
None
-
mod_authnz_crowd-2.0.1-1.x86_64
httpd-2.2.3-45.el5_6.1.x86_64
RHEL5 64-bit
Description
This works as expected:
<Location /repos>
DAV svn
SVN Path /srv/svn/repos
AuthName "Crowd"
AuthType Basic
AuthBasicProvider crowd
CrowdAppName subversion
CrowdAppPassword ...
CrowdURL http://crowd1.prod.example.com:8080/crowd/
- default timeout=0 (infinite)
CrowdTimeout 30 - default maxage=120secs
#CrowdCacheMaxAge 5 - Improves performance when using Subversion clients that don't store cookies
CrowdCreateSSO off - Crowd is authoritative, not authz
AuthzSVNCrowdAuthoritative on
AuthzUserAuthoritative Off
Require group Enterprise
- AuthzSVNCrowdAccessFile /etc/subversion/crowdauthz.repos
</Location>
However if I uncomment the AuthzSVNCrowdAccessFile line, all valid-users can login. I've tried setting AuthzSVNCrowdAuthoritative to off but that makes no difference.
I know that as of apache 2.2 using a require group for LDAP is sadly limited like this as well as per:
http://www.svnforum.org/threads/37237-AuthzSVNAccessFile-Require-ldap-group
It's not clear from the crowd docs if you can only use valid-user (the require group is used in the apache config so you'd assume that it would work).
TBH this might be a case of "sorry, apache issue, not crowd, but we'll document it". It's a nuisance as otherwise the two options are:
a) rely on AuthzSVNCrowdAccessFile to reject everyone you don't want
b) define a new crowd app for every subversion repo (assuming they have different group requirements)