Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use SID from LDAP (ActiveDirectory) instead of sAMAccountName #2

Open
mfreiholz opened this issue Mar 15, 2012 · 9 comments
Open

Use SID from LDAP (ActiveDirectory) instead of sAMAccountName #2

mfreiholz opened this issue Mar 15, 2012 · 9 comments
Assignees
Labels
Milestone

Comments

@mfreiholz
Copy link
Owner

Discussion from website to this issue:

Jacq says:
March 13, 2012 at 9:24 pm

Hi,
I’m using iF.SVNAdmin since last release and I would like to try it together with visualsvn server.
The problem is that visualsvn server stores the permisions in an auth-win file and uses the windows SID instead of the samaccountname. I think this decission was made some time ago to support active directory integration and to support AD groups.
Could you think about adding the option for if.svnadmin to use SID instead usernames when integrated to AD?
The easier change neccesary should be to translate the SID to usernames and keep the same auth-win file for both apps, but the issue will be more difficult when the SID belongs to a AD group.
Here is a related thread explaining the same problem with websvn+visualsvn, but they decided not to add the support due to be a visualsvn issue.
Thanks


Manuel Freiholz says:
March 14, 2012 at 7:49 pm

Hi Jacq,
i will have a further look at it.

Is the SID an attribute of the member in Active Directory?


Jacq says:
March 14, 2012 at 10:52 pm

Yes is an unique identifier of all active directory objects.
I think that visualsvn switch to SID instead of names to support activedirectory group, they could have used samaccountname but I think it may be not unique.
May be for ifsvnadmin the natural approach should be to define a new group provider for ldap.
If you prefer we could move this conversation to the issues tracker.

@ghost ghost assigned mfreiholz Mar 15, 2012
@Jacq
Copy link

Jacq commented Mar 27, 2012

Hi,

Did you have time to have a look at this?
Do you think it will be possible to have a LDAP group provider and user provider based on SID values?

@mfreiholz
Copy link
Owner Author

Hi Jacq.
Sorry, i was very busy and didn't find time to look at it, but i think it shouldn't be a big problem to implement a user and group provider which support it.

Im in England until Saturday and will hopefully find some time on Sunday.l

Sent from my Google Nexus

Jacq reply@reply.github.com wrote:

Hi,

Did you have time to have a look at this?
Do you think it will be possible to have a LDAP group provider and user provider based on SID values?


Reply to this email directly or view it on GitHub:
#2 (comment)

@mfreiholz
Copy link
Owner Author

Hi Jacq

here is a screenshot of my testing LDAP server, i marked the SID. Is this the SID you are talking about?

Image: http://i41.tinypic.com/2yzikix.png

@Jacq
Copy link

Jacq commented Mar 28, 2012

Hi Manuel,

Yes that is the SID.
I think to maintain compatibility with previous version the best
solution should be to add a config variable to choose bettween the SID
and the current saMMAccountName for the user LDAP provider.
Then the support for LDAP groups could be added the same way with the
saMMAccountname and the group sid.
If you need help with any of this just let me know.

On 28/03/2012 9:07, Manuel Freiholz wrote:

Hi Jacq

here is a screenshot of my testing LDAP server, i marked the SID. Is this the SID you are talking about?

Image: http://i41.tinypic.com/2yzikix.png


Reply to this email directly or view it on GitHub:
#2 (comment)

@mfreiholz
Copy link
Owner Author

I installed VisualSVNServer (VSS) to see how they manage the SVNAuthFile. Maybe its possible to support the file of VSS by using the [alias] section of SVNAuthFile.

@mfreiholz
Copy link
Owner Author

The "objectSid" (+objectGUID) entities are binary entries in the ActiveDirectory and require a special handling. The current LDAP Engine of iF.SVNAdmin can't handle binary fields.

Notes:

  • Update needed for "IF_AbstractLdapConnector": Use "ldap_first_entry()", "ldap_next_entry()" and "ldap_get_values_len()" instead of "ldap_get_entries()".

@Jacq
Copy link

Jacq commented May 2, 2012

A link to the same problem when using websvn, it includes an example function that I haven't tested to translate name to SID:
http://websvn.tigris.org/ds/viewMessage.do?dsForumId=2390&dsMessageId=2699407

@Nemcio
Copy link

Nemcio commented Oct 19, 2012

Could you write how to install on Linux?
There is a problem with config.tpl.ini:
SvnAdminExecutable=D:\Development\Data\ifsvnadmin (testdata)\subversion 1.7.4-1\svnadmin.exe
SvnExecutable=D:\Development\Data\ifsvnadmin (testdata)\subversion 1.7.4-1\svn.exe
and etc

@mfreiholz
Copy link
Owner Author

Its not a "problem".
You have to change those paths into something like:

SvnAdminExecutable=/usr/bin/svnadmin
SvnExecutable=/usr/bin/svn

and make sure that the apache user (www-data) has permission to execute this binaries (SElinux requires special configuration).

PS: Please open a separate issue the next time :P

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants