0

I'm trying to set up patch based authorization in SVN using LDAP and AuthzSVNAccess and my initial test was just to give read/write access to everyone in order to check that the config was working correctly.

I have my Apache conf as:

<Location /svn/>
    AuthName  "Login with LDAP"
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthLDAPURL ldap://XXX.com:389/ou=XXX,dc=XXX,dc=XXX,dc=XXX?uid
    SVNParentPath /var/www/svn
    AuthzSVNAccessFile /var/www/svn/authorization.access
    Satisfy Any
    require valid-user
</Location>

I have various SVN repositories that live directly under /var/www/svn.

And authorization.access looks like this:

[/]
* = rw

This is definitely taking effect, if I were to change it to * = r then I can no longer commit so I'm happy that Apache is using the file.

However, Whilst I can checkout, commit, repo-browse, update I can no longer svn lock any files I get the error:

Error: Server sent unexpected return value (401 Authorization Required) in response to LOCK request for '/svn/MyRepo/MyFile.txt'.

Does any one know if there needs to be additional configuration for svn lock and AuthzSVN? Is there another permission other than rw that I may need? Or perhaps something wrong in my current config.

Thanks, Mike.

mleonard87
  • 324
  • 1
  • 11

1 Answers1

1

Couple of issues that I see.

1) You're missing the DAV directive. However based on what you're saying I'm guessing this is just an oversight in what you've posted here.

2) Satisfy any is probably the source of your problem. Satisfy any makes the authorization rules be or'ed. So either mod_authz_svn allows the access or you get prompted for a password. You only really only want to use Satisfy any when you want to allow anonymous and authenticated access. If you're wanting to behave that way in order to have everything work right you're going to have to remove anonymous write access. I'd suggest the following simplistic authz file for testing:

[/]
$anonymous = r
$authenticated = rw

The reason that you're getting a 401 here is because Subversion does not support anonymous locks. So it's trying to get you to authenticate. But due to the Satisfy any directive the password authentication never comes into play.

3) The fact that you're getting a 401 implies that you're using a version of Subversion that is not up to date. In particular you should be getting a 501 Not Implemented since the 401 was actually involved in a security vulnerability (CVE-2013-1847).

So I'd recommend that you upgrade to Subversion 1.7.13 or 1.8.4. If you don't want to build your own packages I'd recommend one of the many sources of binary packages.

Ben Reser
  • 5,695
  • 1
  • 21
  • 29
  • I dont have the DAV directive and everything is working fine. I assume because of the LDAP config. The satisfy any hint was absolutely spot on though and has fixed my problem. Thank you. We are currently only on SVN 1.6 and an upgrade is on the table for the near future, thanks for the advice. – mleonard87 Nov 23 '13 at 08:54
  • There should always be a "DAV SVN" directive in the Location block where you're setting Subversion up to respond. It has nothing to do with authentication. It tells mod_dav which provider it should use. Without it the default is mod_dav_fs, but you need mod_dav_svn for Subversion to work right. You might have it somewhere else in your config but it's likely to cause problems if you try to use any other path on the server since then mod_dav will try to serve it. – Ben Reser Nov 23 '13 at 17:27