On 12.07.2013 18:32, Stefan Sperling wrote: > On Fri, Jul 12, 2013 at 03:45:24PM +0200, Branko Čibej wrote: >> Yes, that is a layering violation. The authz implementation shouldn't >> care where groups names and group membership info comes from. I can >> think of two ways to do this: >> >> 1. The caller provides a callback that the authz resolver can use to >> determine if the current user is a member of some group. >> 2. The caller sends the transitive closure of group memberships along >> with the username, and the authz resolver uses that to determine >> group membership >> >> Both of these options require a libsvn_repos API change. > Yes, I agree completely. > > Of course, the authz rules file itself needs to contain ldap > group names,
Scratch "ldap" -- it has to contain group names, that's all. > which like the list of user names, are site-specific. Of course. > But the mechanism of how the group is looked up belongs outside > of libsvn_repos, of course. Hence my suggestion to move the ldap > lookup code into mod_authz_svn and svnserve. Probably only svnserve; mod_authz_svn should just use whatever group info is available. mod_ldap isn't the only such provider, you could use mod_auth_pam or even mod_auth_pgsql, for example. The question I don't know the answer to is whether there's a standard interface for authentication modules that mod_authz_svn could use to query group membership. -- Brane -- Branko Čibej | Director of Subversion WANdisco // Non-Stop Data e. br...@wandisco.com
