iF.SVNAdmin icon indicating copy to clipboard operation
iF.SVNAdmin copied to clipboard

Published 20 hours ago verified publisher icon mfreiholz

Use SID from LDAP (ActiveDirectory) instead of sAMAccountName

Open mfreiholz opened this issue 12 years ago • 9 comments

Discussion from website to this issue:

Jacq says: March 13, 2012 at 9:24 pm

Hi, I’m using iF.SVNAdmin since last release and I would like to try it together with visualsvn server. The problem is that visualsvn server stores the permisions in an auth-win file and uses the windows SID instead of the samaccountname. I think this decission was made some time ago to support active directory integration and to support AD groups. Could you think about adding the option for if.svnadmin to use SID instead usernames when integrated to AD? The easier change neccesary should be to translate the SID to usernames and keep the same auth-win file for both apps, but the issue will be more difficult when the SID belongs to a AD group. Here is a related thread explaining the same problem with websvn+visualsvn, but they decided not to add the support due to be a visualsvn issue. Thanks

Manuel Freiholz says: March 14, 2012 at 7:49 pm

Hi Jacq, i will have a further look at it.

Is the SID an attribute of the member in Active Directory?

Jacq says: March 14, 2012 at 10:52 pm

Yes is an unique identifier of all active directory objects. I think that visualsvn switch to SID instead of names to support activedirectory group, they could have used samaccountname but I think it may be not unique. May be for ifsvnadmin the natural approach should be to define a new group provider for ldap. If you prefer we could move this conversation to the issues tracker.

mfreiholz avatar Mar 15 '12 05:03 mfreiholz

Hi,

Did you have time to have a look at this? Do you think it will be possible to have a LDAP group provider and user provider based on SID values?

Jacq avatar Mar 27 '12 22:03 Jacq

Hi Jacq. Sorry, i was very busy and didn't find time to look at it, but i think it shouldn't be a big problem to implement a user and group provider which support it.

Im in England until Saturday and will hopefully find some time on Sunday.l

Sent from my Google Nexus

Jacq [email protected] wrote:

Hi,

Did you have time to have a look at this? Do you think it will be possible to have a LDAP group provider and user provider based on SID values?

Reply to this email directly or view it on GitHub: https://github.com/mfreiholz/iF.SVNAdmin/issues/2#issuecomment-4733694

mfreiholz avatar Mar 28 '12 04:03 mfreiholz

Hi Jacq

here is a screenshot of my testing LDAP server, i marked the SID. Is this the SID you are talking about?

Image: http://i41.tinypic.com/2yzikix.png

mfreiholz avatar Mar 28 '12 07:03 mfreiholz

Hi Manuel,

Yes that is the SID. I think to maintain compatibility with previous version the best solution should be to add a config variable to choose bettween the SID and the current saMMAccountName for the user LDAP provider. Then the support for LDAP groups could be added the same way with the saMMAccountname and the group sid. If you need help with any of this just let me know.

On 28/03/2012 9:07, Manuel Freiholz wrote:

Hi Jacq

here is a screenshot of my testing LDAP server, i marked the SID. Is this the SID you are talking about?

Image: http://i41.tinypic.com/2yzikix.png

Reply to this email directly or view it on GitHub: https://github.com/mfreiholz/iF.SVNAdmin/issues/2#issuecomment-4749860

Jacq avatar Mar 28 '12 19:03 Jacq

I installed VisualSVNServer (VSS) to see how they manage the SVNAuthFile. Maybe its possible to support the file of VSS by using the [alias] section of SVNAuthFile.

mfreiholz avatar Apr 02 '12 17:04 mfreiholz

The "objectSid" (+objectGUID) entities are binary entries in the ActiveDirectory and require a special handling. The current LDAP Engine of iF.SVNAdmin can't handle binary fields.

Notes:

  • Update needed for "IF_AbstractLdapConnector": Use "ldap_first_entry()", "ldap_next_entry()" and "ldap_get_values_len()" instead of "ldap_get_entries()".

mfreiholz avatar Apr 02 '12 19:04 mfreiholz

A link to the same problem when using websvn, it includes an example function that I haven't tested to translate name to SID: http://websvn.tigris.org/ds/viewMessage.do?dsForumId=2390&dsMessageId=2699407

Jacq avatar May 02 '12 20:05 Jacq

Could you write how to install on Linux? There is a problem with config.tpl.ini: SvnAdminExecutable=D:\Development\Data\ifsvnadmin (testdata)\subversion 1.7.4-1\svnadmin.exe SvnExecutable=D:\Development\Data\ifsvnadmin (testdata)\subversion 1.7.4-1\svn.exe and etc

Nemcio avatar Oct 19 '12 07:10 Nemcio

Its not a "problem". You have to change those paths into something like:

SvnAdminExecutable=/usr/bin/svnadmin SvnExecutable=/usr/bin/svn

and make sure that the apache user (www-data) has permission to execute this binaries (SElinux requires special configuration).

PS: Please open a separate issue the next time :P

mfreiholz avatar Oct 19 '12 07:10 mfreiholz