On Fri, Jul 12, 2013 at 03:45:24PM +0200, Branko Čibej wrote: > Yes, that is a layering violation. The authz implementation shouldn't > care where groups names and group membership info comes from. I can > think of two ways to do this: > > 1. The caller provides a callback that the authz resolver can use to > determine if the current user is a member of some group. > 2. The caller sends the transitive closure of group memberships along > with the username, and the authz resolver uses that to determine > group membership > > Both of these options require a libsvn_repos API change.
Yes, I agree completely. Of course, the authz rules file itself needs to contain ldap group names, which like the list of user names, are site-specific. But the mechanism of how the group is looked up belongs outside of libsvn_repos, of course. Hence my suggestion to move the ldap lookup code into mod_authz_svn and svnserve.
