No announcement yet.

How to access repositories via http with ldap users belonging to 2 different AD LDAP

  • Filter
  • Time
  • Show
Clear All
new posts

  • How to access repositories via http with ldap users belonging to 2 different AD LDAP

    Hallo, I have a running apache service (httpd ver. 2.2) to access company repositories (svn ver. 1.6.15) which uses both authentication and authorization methods over an MS AD Ldap (Windows Server 2012 R2). Specifically I use "AuthBasicProvider ldap" and the directives ldap-attribute and ldap-user to give respectively to groups and single users the rights on repositories.

    Now I need to authenticate additional users of a second MS AD LDAP and I was looking for a possible solution. I was considering one of these solutions which, indeed, I already checked they go through authn and authz tests:

    1) using the same httpd service with ip-based virtualhost, then giving separate urls to access
    2) using 2 httpd services running with the same user
    3) AuthnProviderAlias + AuthzProviderAlias (apache 2.4)

    I was wandering if all these solutions are good and what I should be aware of.

    Thank you in advance, for any answer!

  • #2
    1. SVN 1.6 is ancient and no longer supported by the community. They are now up to 1.10 and climbing. Is there any reason that you're on that old a version?

    2. As you move forward to newer releases, using ldap attributes to enable read vs. write capabilities is going to fracture and become very, very difficult. You are much better off using the AuthZ built into mod_dav_svn ([url][/url]). You do not need to do sub-repository paths - you can stay with all/nothing for the entire repository (but the sub-repository path capability is already there).

    3. Using Apache 2.4 is really best at this point - with at least SVN 1.9.latest or 1.10.latest. And the AuthZ built into mod_dav_svn.

    4. Using 2 different Apache services running with the same user account is Ok from the locking perspective but less so based on caching. I wouldn't do that.

    5. Using #3 seems best (minus the AuthzProviderAlias). The only gotcha will be if there is a collision with sAMAccountName values between the 2 domains. That will, unfortunately, enable both of them whatever rights you choose in the SVN AuthZ file. I suppose you could enable email address as account name to prevent this.