I am using Apache 2.4 on Ubuntu 14.04 and SVN 1.8.8.
I have installed SVN server and created a number of repositories (one per client). For each team working for each client, I added configurations files in /etc/apache2/conf-available and use a2enconf. The files are of the format:
<Location /svn/Client1/>
DAV svn
SVNPATH /home/svn/Client1
Options -Indexes
AuthType Basic
AuthName "Company SVN"
AuthBasicProvider ldap
AuthLDAPBindDN "cn=binduser,dc=company,dc=com"
AuthLDAPBindPassword "binduserpassword"
AuthLDAPURL "ldap://ldap.company.com:389/ou=users,dc=company,dc=com?cn?sub?(objectClass=posixAccount)"
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group cn=client1,dc=company,dc=com
</Location>
On my LDAP server, I created groupOfNames such as "client1", "client2" and added my team members to them. So far, so good. Everything works. If a team member is assigned to a client, I add him to that group and he gets access.
Now, I need to grant one specific user (who works for the client) access to not the whole repo, but a particular project within it.
I added his entry to LDAP then I tried adding a Location directive:
<Location /svn/Client1/Project17/>
Require ldap-user cn=adam
</Location>
Didn't work. If I open http://svn.company.com/svn/Client1/Project17/ in a browser, I get the Basic authentication popup where it accepts my own user/password, but not for the "adam" user. Apache log shows:
[Tue Jun 27 07:44:33.213571 2023] [authz_core:error] [pid 29295] [client 121.153.248.253:65432] AH01631: user adam: authorization failure for "/svn/Client1/Project17/"
I set the LogLevel of Apache to debug. This shows that it is checking the group cn=client1,dc=company,dc=com and not finding the user there. This indicates that the second Location directive is not doing anything.
Yes, I restart apache2 after every change.
Comments?
