I'm trying to configure my Subversion server to use AuthzSVNCrowdAccessFile for directory-based authorization and I'm completely stuck. No matter what I try, the restrictions in my dav_svn.authz file are ignored by the server. All users that have access to the application created in Crowd to handle authentication have access to all directories.

My ultimate goal is to have a directory on the Subversion server that holds ~30 SVN repos. Some of the repos will be accessible by group1, some by group2, some by group3, and all by group4. With the setup defined below all users have access to all repos, no matter what the dav_svn.authz says.

In Crowd I've created an application named sse_svn_april with the URL http://10.74.47.100:8080/april. I created Crowd groups sse_oracle_dev and sse_oracle_qa and assigned a user to each group (User: oracle_developer Group: sse_oracle_dev, User: oracle_qa Group: sse_oracle_qa)
I granted both groups access to the sse_svn_april application and verified that both users pass the application's authentication test on the Crowd server.

I've created a directory on the Subversion server that will hold the repos: /var/subversion/april_sse_repositories. In that folder I've created a pair of repositories: rbs and Automation. In my subversion.conf file I created the following Location entry:

<Location /april/>
   DAV svn
   SVNParentPath /var/subversion/april_sse_repositories/
   SVNListParentPath on

   AuthType  Basic
   AuthName  "CROWD Authentication"
   PerlAuthenHandler Apache::CrowdAuth
   PerlSetVar CrowdAppName sse_svn_april
   PerlSetVar CrowdAppPassword password
   PerlSetVar CrowdSOAPURL http://crowdserver:8095/crowd/services/SecurityServer
   PerlSetVar CrowdCacheEnabled on
   PerlSetVar CrowdCacheLocation /tmp/CrowdAuth/sse_svn_april
   PerlSetVar CrowdCacheExpiry 180

    PerlSetVar AuthzSVNCrowdAccessFile /usr/local/apache2/dav_svn.authz

   require valid-user
</Location>

My dav_svn.authz file is below.

[groups]
sse_oracle_dev
sse_oracle_qa
jira-administrators

[/]
* =
@jira-administrators = rw

[rbs:/]
* =
@sse_oracle_dev = r
@sse_oracle_qa =

[automation:/]
* =
@sse_oracle_qa = r
@sse_oracle_dev =

With the above, I expected that user oracle_developer would have read-only access to the rbs repository and no access to the automation repository. The user oracle_qa would have read-only access to the automation repository and no access to the rbs repository. Instead, both users have access to both repositories.

I've tried several combinations of syntaxes for the dav_svn.authz without success. I've tried adding and removing the groups from the [groups] section, adding and removing the @ from the group names, and adding and removing the default "*=" from each section. The result is always the same: all users have access to all repositories. I've tried with both TortoiseSVN and a command-line SVN client and I've made sure to restart Apache after any change to the subversion.conf file or the dav_svn.authzfile.

When I try to browse either repo I can see Crowd authenticate the user but I don't see anything about the dav_svn.authzfile. When I restart Apache I can see that the dav_svn_module has loaded.

I'm using Crowd v2.2.2 and Subversion v1.5.1 on Red Hat Enterprise Linux Server release 5.4 (Tikanga)

I am officially baffled. Any help would be greatly appreciated and go a long way to me not having to pull an all-nighter this week.