On 12 April 2016 at 18:03, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: > > On Tue, April 12, 2016 11:57 am, m.roth at 5-cent.us wrote: > > James Hogarth wrote: > >> On 12 Apr 2016 16:29, "Scott Robbins" <scottro11 at gmail.com> wrote: > >>> On Tue, Apr 12, 2016 at 09:45:17AM +0200, Marcin Trendota wrote: > >>> > W dniu 11.04.2016 o 20:07, Scott Robbins pisze: > > <SNIP> > >> After various testing I ended up going with the Apache LDAP cache module > >> and doing the auth at the Apache level, not system. > >> > >> Was far better in performance with the SVN server being hit > >> fairly hard. I can try and dig out an example configuration if > >> you would like. > >> > >> The bonus here as well is that svn users are separated cleanly > >> from system users... No reason for a dev to have a shell account > >> on there ;) > > > > I'd be *very* interested in that configuration, if you post it here, or > > offlist, to me. > > Me too. Please, post for everyone, or add me to off-list message. > > Valeri > > > The CA.crt assumes that is used to sign the LDAPS certs ... replace as required ;) This assumes multiple SVN repos under /srv/svn/repos This includes a local userfile for any quick hacks or system things that you don't want to hit LDAP for - can be removed. This also allows fallback from one server to another if need be, note that it will need to timeout on the first though. This took a fair chunk of load off of our LDAP server and made checkouts a far more pleasant experience. Bonus points if you get your CM to change ordering of LDAP servers between repos (or other web auth) ;) _____________________________________________________________ LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/CA.crt # Enable caching by mod_ldap LDAPSharedCacheSize 500000 LDAPCacheEntries 1024 LDAPCacheTTL 600 LDAPOpCacheEntries 1024 LDAPOpCacheTTL 600 <Location /ldap-status> SSLRequire true SetHandler ldap-status </Location> <Location /repos> DAV svn SVNParentPath /srv/svn/repos </Location> <Location /repos/repo1> SSLRequireSSL AuthName "SVN Repo 1" AuthType Basic AuthLDAPBindDN cn=svnbind,cn=systemusers,dc=example,dc=com AuthLDAPBindPassword plaintextpassword AuthUserFile /etc/httpd/svnpasswd AuthLDAPURL "ldaps://ldapserver1.example.com/dc=example,dc=com?uid ldaps://ldapserver2.example.com/dc=example,dc=com?uid " AuthBasicProvider file ldap AuthzLDAPAuthoritative off AuthLDAPGroupAttribute member AuthLDAPGroupAttributeIsDN On # READ <Limit OPTIONS PROPFIND GET REPORT> Require ldap-group cn=dev,cn=groups,dc=example,dc=com Require ldap-group cn=qa,cn=groups,dc=example,dc=com </Limit> # WRITE <LimitExcept OPTIONS PROPFIND GET REPORT> Require ldap-group cn=dev,cn=groups,dc=example,dc=com </LimitExcept> </Location>