I'm trying to set up patch based authorization in SVN using LDAP and AuthzSVNAccess and my initial test was just to give read/write access to everyone in order to check that the config was working correctly.
I have my Apache conf as:
<Location /svn/>
AuthName "Login with LDAP"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://XXX.com:389/ou=XXX,dc=XXX,dc=XXX,dc=XXX?uid
SVNParentPath /var/www/svn
AuthzSVNAccessFile /var/www/svn/authorization.access
Satisfy Any
require valid-user
</Location>
I have various SVN repositories that live directly under /var/www/svn.
And authorization.access looks like this:
[/]
* = rw
This is definitely taking effect, if I were to change it to * = r
then I can no longer commit so I'm happy that Apache is using the file.
However, Whilst I can checkout, commit, repo-browse, update I can no longer svn lock
any files I get the error:
Error: Server sent unexpected return value (401 Authorization Required) in response to LOCK request for '/svn/MyRepo/MyFile.txt'.
Does any one know if there needs to be additional configuration for svn lock
and AuthzSVN? Is there another permission other than rw
that I may need? Or perhaps something wrong in my current config.
Thanks, Mike.
Couple of issues that I see.
1) You're missing the DAV directive. However based on what you're saying I'm guessing this is just an oversight in what you've posted here.
2) Satisfy any
is probably the source of your problem. Satisfy any
makes the authorization rules be or'ed. So either mod_authz_svn allows the access or you get prompted for a password. You only really only want to use Satisfy any
when you want to allow anonymous and authenticated access. If you're wanting to behave that way in order to have everything work right you're going to have to remove anonymous write access. I'd suggest the following simplistic authz file for testing:
[/]
$anonymous = r
$authenticated = rw
The reason that you're getting a 401 here is because Subversion does not support anonymous locks. So it's trying to get you to authenticate. But due to the Satisfy any
directive the password authentication never comes into play.
3) The fact that you're getting a 401 implies that you're using a version of Subversion that is not up to date. In particular you should be getting a 501 Not Implemented since the 401 was actually involved in a security vulnerability (CVE-2013-1847).
So I'd recommend that you upgrade to Subversion 1.7.13 or 1.8.4. If you don't want to build your own packages I'd recommend one of the many sources of binary packages.