-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use SID from LDAP (ActiveDirectory) instead of sAMAccountName #2
Comments
Hi, Did you have time to have a look at this? |
Hi Jacq. Im in England until Saturday and will hopefully find some time on Sunday.l Sent from my Google Nexus Jacq reply@reply.github.com wrote:
|
Hi Jacq here is a screenshot of my testing LDAP server, i marked the SID. Is this the SID you are talking about? |
Hi Manuel, Yes that is the SID. On 28/03/2012 9:07, Manuel Freiholz wrote:
|
I installed VisualSVNServer (VSS) to see how they manage the SVNAuthFile. Maybe its possible to support the file of VSS by using the [alias] section of SVNAuthFile. |
The "objectSid" (+objectGUID) entities are binary entries in the ActiveDirectory and require a special handling. The current LDAP Engine of iF.SVNAdmin can't handle binary fields. Notes:
|
A link to the same problem when using websvn, it includes an example function that I haven't tested to translate name to SID: |
Could you write how to install on Linux? |
Its not a "problem". SvnAdminExecutable=/usr/bin/svnadmin and make sure that the apache user (www-data) has permission to execute this binaries (SElinux requires special configuration). PS: Please open a separate issue the next time :P |
Discussion from website to this issue:
Jacq says:
March 13, 2012 at 9:24 pm
Hi,
I’m using iF.SVNAdmin since last release and I would like to try it together with visualsvn server.
The problem is that visualsvn server stores the permisions in an auth-win file and uses the windows SID instead of the samaccountname. I think this decission was made some time ago to support active directory integration and to support AD groups.
Could you think about adding the option for if.svnadmin to use SID instead usernames when integrated to AD?
The easier change neccesary should be to translate the SID to usernames and keep the same auth-win file for both apps, but the issue will be more difficult when the SID belongs to a AD group.
Here is a related thread explaining the same problem with websvn+visualsvn, but they decided not to add the support due to be a visualsvn issue.
Thanks
Manuel Freiholz says:
March 14, 2012 at 7:49 pm
Hi Jacq,
i will have a further look at it.
Is the SID an attribute of the member in Active Directory?
Jacq says:
March 14, 2012 at 10:52 pm
Yes is an unique identifier of all active directory objects.
I think that visualsvn switch to SID instead of names to support activedirectory group, they could have used samaccountname but I think it may be not unique.
May be for ifsvnadmin the natural approach should be to define a new group provider for ldap.
If you prefer we could move this conversation to the issues tracker.
The text was updated successfully, but these errors were encountered: