Announcement

Collapse
No announcement yet.

Permissions vs authentication - tying both with LDAP/AD

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Permissions vs authentication - tying both with LDAP/AD

    I'd like all members of a particular AD group to have full access to a repository. It looks like there are two steps to this - authentication and permissions. Can I just confirm how this all works/ties together?

    I'm thinking I need to set up the authentication for LDAP, and set the require to use either ldap-group or ldap-filter (still reading up on that). Once they're authenticated, they'd still need permissions, though, I believe. How do I set the permissions to be dependant on that same group? Do I select the "use Alternative Authz" file option and do something with that, or...? What's the best practice/usual way this is done?

    Thank you!
    Last edited by teleute; 06-21-2012, 05:13 PM.

  • #2
    Maybe I'll start here - what happens when new users are added to AD? Does it get them automatically? Has anyone successfully managed permissions using AD groups? (And again, do those get updated automatically if changed in AD?)

    Comment


    • #3
      So the per-repository authentication seems to be okay - I can use "MemberOf" in my LDAP query, and that works just fine. And presumably since it's querying AD directly, it would be in sync with any group membership changes, etc... However, it's the permissions that seem to be the issue. I've just got "everybody" set as permissions, since basically if they can authenticate I want to give them full permissions. But if the person isn't a user in uberSVN, then they still don't have permission. When I'm setting up my users right now, I can use that same "memberOf" LDAP query, and that's all good. But what if a user gets added to AD, and then put into this group? The authentication works fine, but the permissions don't, since the user doesn't exist in uberSVN. Do I have to manually create the user (or at least manually re-run the LDAP user link) every time someone is added to AD? Or am I missing something about how this is intended to work?

      Thank you to anyone who can shed a little light on this!

      Comment


      • #4
        Hi there,

        If you add a user you would need to use the 'Retrieve User' link in the LDAP tab of uberSVN. From there you can change their permissions or add to teams etc.

        Comment


        • #5
          Originally posted by Mand View Post
          Hi there,

          If you add a user you would need to use the 'Retrieve User' link in the LDAP tab of uberSVN. From there you can change their permissions or add to teams etc.
          So there's no way to avoid a manual intervention of some type? What about using the alternative authz file instead of uberSVN users, maybe? The ideal is that, since the user has to be created and managed in Active Directory anyway (for everything else in our office), AD is the only place to do all setup.

          Thanks!

          Comment


          • #6
            OK, so after a little bit of deeper digging on this it turns out that the LDAP query is actually set to run every 15 mins. So adding a user as normal to the AD should propagate to uberSVN without any further intervention.

            Comment


            • #7
              Originally posted by Mand View Post
              OK, so after a little bit of deeper digging on this it turns out that the LDAP query is actually set to run every 15 mins. So adding a user as normal to the AD should propagate to uberSVN without any further intervention.
              Oh, perfect. Thanks! Does this get logged at all? Is the time adjustable?

              Comment


              • #8
                Originally posted by Mand View Post
                OK, so after a little bit of deeper digging on this it turns out that the LDAP query is actually set to run every 15 mins. So adding a user as normal to the AD should propagate to uberSVN without any further intervention.
                I gave this a test last night - added a user, then went home. Checked today and he wasn't in the list of users. However, when I went to the LDAP tab and clicked the "get users from selected" button, it added him (so the LDAP links themselves should be fine). Any more info on this update procedure, and how to check/log/adjust it? Thanks!

                Comment


                • #9
                  Just an update - we've added more users since, and they're definitely not showing up automatically (have to manually tell it to add users from the LDAP server, and then it finds all and adds them). I even tried leaving it for a couple of weeks in case the interval was slower than I thought. Any thoughts on how to get this working as designed? (i.e. running the query every 15 mins, as stated above)

                  Comment


                  • #10
                    If it's not working I'll need to verify and raise a bug internally.

                    What version of uberSVN are you running?

                    Comment


                    • #11
                      Core is 12.06.0403-1 (assuming that's the number you're looking for). Thanks!

                      Comment


                      • #12
                        Ah, it may be worth you updating (we fixed a bunch of LDAP issues with the latest update).

                        Comment


                        • #13
                          I just manually ran a check for updates and it found one for the svn libraries, but nothing for core...what version should be showing?

                          Comment


                          • #14
                            12.07 is the latest version.

                            Comment


                            • #15
                              Very odd - ran another check for updates to be sue, and it's not finding it (but it is connecting). How do I update it if it's telling me that there's no update?

                              ETA: I did the subversion binary update, just in case that was blocking anything else, and I still see "no available updates" now after that. However, when I go in the catalina log I see "found 7 available updates - Found 0 eligible updates"
                              Last edited by teleute; 08-28-2012, 05:43 PM.

                              Comment

                              Working...
                              X