On 12 April 2016 at 18:03, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On Tue, April 12, 2016 11:57 am, m.roth@5-cent.us wrote:
James Hogarth wrote:
On 12 Apr 2016 16:29, "Scott Robbins" scottro11@gmail.com wrote:
On Tue, Apr 12, 2016 at 09:45:17AM +0200, Marcin Trendota wrote:
W dniu 11.04.2016 o 20:07, Scott Robbins pisze:
<SNIP> > After various testing I ended up going with the Apache LDAP cache module > and doing the auth at the Apache level, not system. > > Was far better in performance with the SVN server being hit > fairly hard. I can try and dig out an example configuration if > you would like. > > The bonus here as well is that svn users are separated cleanly > from system users... No reason for a dev to have a shell account > on there ;)
I'd be *very* interested in that configuration, if you post it here, or offlist, to me.
Me too. Please, post for everyone, or add me to off-list message.
Valeri
The CA.crt assumes that is used to sign the LDAPS certs ... replace as required ;) This assumes multiple SVN repos under /srv/svn/repos This includes a local userfile for any quick hacks or system things that you don't want to hit LDAP for - can be removed. This also allows fallback from one server to another if need be, note that it will need to timeout on the first though. This took a fair chunk of load off of our LDAP server and made checkouts a far more pleasant experience.
Bonus points if you get your CM to change ordering of LDAP servers between repos (or other web auth) ;) _____________________________________________________________
LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/CA.crt
# Enable caching by mod_ldap LDAPSharedCacheSize 500000 LDAPCacheEntries 1024 LDAPCacheTTL 600 LDAPOpCacheEntries 1024 LDAPOpCacheTTL 600
<Location /ldap-status> SSLRequire true SetHandler ldap-status </Location>
<Location /repos> DAV svn SVNParentPath /srv/svn/repos </Location>
<Location /repos/repo1> SSLRequireSSL AuthName "SVN Repo 1" AuthType Basic AuthLDAPBindDN cn=svnbind,cn=systemusers,dc=example,dc=com AuthLDAPBindPassword plaintextpassword AuthUserFile /etc/httpd/svnpasswd
AuthLDAPURL "ldaps://ldapserver1.example.com/dc=example,dc=com?uid ldaps://ldapserver2.example.com/dc=example,dc=com?uid "
AuthBasicProvider file ldap AuthzLDAPAuthoritative off AuthLDAPGroupAttribute member AuthLDAPGroupAttributeIsDN On
# READ <Limit OPTIONS PROPFIND GET REPORT> Require ldap-group cn=dev,cn=groups,dc=example,dc=com Require ldap-group cn=qa,cn=groups,dc=example,dc=com </Limit> # WRITE <LimitExcept OPTIONS PROPFIND GET REPORT> Require ldap-group cn=dev,cn=groups,dc=example,dc=com </LimitExcept> </Location>