subversion and AD integration

Question

Well, I've successfully integrated my subversion on Linux box with a Windows Server Active Directory and right now the users get authenticated with AD before using subversion service.

I simply done that with defining a LDAP base search in SASL (lets say: OU=users,DC=domain,DC=com) and subversion in other hand is configured with sasl daemon. Everything is fine.

However my organization requires to block the access of the normal users on 'trunk' for some of its projects. So, then they specified two group of users in Windows Server AD: normal-devel : which have access to all parts of the projects, except 'trunk'. releng-devel : which have ultimate access.

Well, I donno if it is even possible to filter those groups in svnserve service, but I tried this (svnserve.conf):

[alias]
normal_usr = memberOf=CN=normal-devel
releng_usr = memberOf=CN=releng-devel

[group]
normal = &normal_usr
releng = &releng_usr

[repo:/project1/trunk]
@normal = none
@releng = rw

Unfortunately, It doesn't work and I receive "Authorization error" when I want to commit sources to 'trunk' with a releng user. It seems to me that the there is something wrong in my config file.

Does anybody have successful experience regarding to filtering the AD users based on their group membership?

Answer 1

1. You can't refer in group's definition on any AD|LDAP data - mod_authz|svnserve know nothing about AD and can't operate with it.
2. You can't translate AD-groups into authz's groups automatically, using default tools.

The solution is the LDAP Groups to Subversion Authz Groups Bridge script and just one additional note: with SVN 1.8+ you can have groups definition in own file, separated form other authz-data.

Part of default svnserve.conf:

### The groups-db option controls the location of the groups file.
...
# groups-db = groups