Subversion over openSuse 10.3 using Windows Authentication
December 11, 2007
Subversion authenticating against Windows Active Directory seems fairly complex from the perspective that there’s no documentation available. The existing information relates to authenticating Apache running on Windows against Active Directory.
After a couple of days nightmare/research we came up with this how-to that will provide the basis and the steps needed to authenticate against AD. We recommend you to read the “SVN Book” (Version Control with Subversion, Ben Collins-Sussman, Brian W. Fitzpatrick, C. Michael Pilato), to download the book go this website.
What is Subversion?
Subversion is a versioning system, which allows you to store a development filetree in a “repository”, keeps track of edits made to the files, and allows those edits to be rolled back if necessary.
Software Installation
Before we begin please make sure that you’ve the following packages installed on your computer: apache2, apache2-prefork, apache2-doc, libapr1, libapr-util1, neon, subversion, subversion-server, subversion-docs, pam_ldap.
Once you’ve the required packages installed you should be able to configure apache to load the required modules.
(su) a2enmod dav #enables DAV in apache2 (su) a2enmod dav_svn #enables DAV access to SVN filesystem (su) a2enmod ldap #loads the base library for ldap modules (su) a2enmod authzn_ldap #this is the apache 2.2.4 module for ldap authentication (su) a2enmod authz_svn #enabled file-based access to svn repository
NOTE: Consider that this configuration is valid only for Apache 2.2.x installation, previous versions of apache don’t have the authzn_ldap module.
Configuration
The configuration suggested by most of the svn books/posts sets up individual repositories for each file tree. But since each one requires it’s own site on Apache, the administration could become a nightmare if you’re creating/adding repositories all the time. Instead, the approach proposed on this post sets up a parent repository that works as a container for all the child repositories.
Configure the parent repository
Using the vi text-editor run the following command:
(su) vi /etc/apache2/conf.d/subversion.conf
You should edit the configuration to read the following
DAV svn
#Configures the location of the parent repositories (repo container)
SVNParentPath /srv/svn/repositories/
#This flag allows you to navigate via http the existing repos on the container
SVNListParentPath on
If you don’t include the SVNListParentPath on the configuration you’ll get a Http 403.3 forbidden error.
Now let’s configure the repository-container folder on the file system.
mkdir -p /srv/svn/repositories/
Restart apache
(su) rcapache2 restart
Now you should be able to navigate your subversion by entering the address on the web-browser (http://localhost/repositories), and your browser should display something like this:
Setting up your first repository
Let’s create a repository using the command-line tools provided as part of subversion-server package
#This command creates the SVN repository and all its required assets (su) svnadmin create /srv/svn/repositories/myRepository #This command gives permissions to the apache worker process (su) chown -R wwwrun:www /srv/svn/repositories/myRepository/{dav,db,locks}
Here we’re setting up a repository called myRepository, you should see your repository on your web browser and also you should be able to navigate it on the web browser by entering the http://localhost/repositories/myRepository/ url.
(The repository under it’s parent repository)
(Inside the recently created repository)
Further on this post, we’ll go thru the common operations that you can perform on the repositories. Because the main focus of this post is the AD (W2K3) integration, let’s see how to secure the repository.
Securing the repository
Authentication against Active Directory seems to be hard, mostly if you research on the web since most of available information is related to the older module authz_ldap that is not compatible with the 2.2.x version of the Apache.
First of all you should turn off the referrals for the pam_ldap module, because there’s a problem when using Active Directory so you need to turn them off. Edit your /etc/ldap.conf using a text-editor, and on the first line add:
1: REFERRALS off
Now you are able to add the LDAP configuration directives to the recently created Apache Configuration. What we found useful is to test the Active Directory connection by using ADSIEdit or you can use this Applet Java LDAP Browser to test the Active Directory lookup information. We strongly recommend you to create a new user to query Active Directory.
Since the Authentication process on LDAP has to phases you should bind an account that performs the query (AD needs to be queried by a AD valid user). Said this, let’s modify the apache configuration to be authenticate with AD.
To open the Apache configuration use this command:
(su) vi /etc/apache2/conf.d/subversion.conf
Then your configuration should look like this:
DAV svn
#Configures the location of the parent repositories (repo container)
SVNParentPath /srv/svn/repositories/
#This flag allows you to navigate via http the existing repos on the container
SVNListParentPath on
#Everything below this line is related to LDAP configuration
#This sets the AuthProvider to be the ldap provider
AuthBasicProvider ldap
#Sets that the authentication type is basic (username & password)
AuthType Basic
#This flag indicates that the authentication process continues bubbling up
AuthzLDAPAuthoritative off
#This is the message that will be displayed to the users when prompting for
#for credentials
AuthName “My Subversion server”
#This is the search path for the AD (we’ll explain this later)
AuthLDAPURL “ldap://directory.example.com:389/
DC=example,DC=com?sAMAccountName?sub?(objectClass=*)” NONE
#This is the DN of the user performing the query (this could be also a
#UPN: user@domain)
AuthLDAPBindDN “CN=apache,CN=Users,DC=example,DC=com”
#This is the password for the user performing the query
AuthLDAPBindPassword hackme
#This flag indicates that only authenticated users can access this repos.
require valid-user
The AuthLDAPURL indicates the search path where authnz_ldap Apache module will look for the user name, the ?sAMAccountName indicates that the username should match the value of that property for the user on AD. ?sub indicates that the search should be performed recursively. Finally, (objectClass=*) indicates that the object type could be any (I play safe and choose to do objectClass=*).
Now you should be able to navigate, but it’ll prompt you for your domain credentials
IMPORTANT: Since the sAMAccountName doesn’t include the domain name, avoid to user the form DOMAINNAME\user, just enter your user name.
Configuring Authorization Policies
For authorization we’re going to use the authz_svn Apache module, the authorization will be based on a text file, using the domain user name to establish policies or we can use custom groups either.
Configuring Apache to use authz_svn
In order to use the authz_svn module we should open the Apache configuration by doing
(su) vi /etc/apache2/conf.d/subversion.conf
Now we should configure the Apache to use a file for authorization policies definition, so the configuration should look like this
DAV svn
#Configures the location of the parent repositories (repo container)
SVNParentPath /srv/svn/repositories/
#This flag allows you to navigate via http the existing repos on the container
SVNListParentPath on
#Everything below this line is related to LDAP configuration
#This sets the AuthProvider to be the ldap provider
AuthBasicProvider ldap
#Sets that the authentication type is basic (username & password)
AuthType Basic
#This flag indicates that the authentication process continues bubbling up
AuthzLDAPAuthoritative off
#This is the message that will be displayed to the users when prompting for
#for credentials
AuthName “My Subversion server”
#This is the search path for the AD (we’ll explain this later)
AuthLDAPURL “ldap://directory.example.com:389/
DC=example,DC=com?sAMAccountName?sub?(objectClass=*)” NONE
#This is the DN of the user performing the query (this could be also a
#UPN: user@domain)
AuthLDAPBindDN “CN=apache,CN=Users,DC=example,DC=com”
#This is the password for the user performing the query
AuthLDAPBindPassword hackme
#This flag indicates that only authenticated users can access this repos.
require valid-user
#This is the configuration for Authorization
#The following directive defines the file used as AuthZ policies store
AuthzSVNAccessFile /srv/svn/user_access/authz_policies
Now we should create the file that defines the policies
(su) vi /srv/svn/user_access/authz_policies
The internal file structure is similar to a .ini file, below you will find a sample of how it looks like and then we’ll go section by section explaining it’s meaning
[groups] administrators = user, user2 [myRepository:/] @administrators = rw sally = r bob =
The [groups] section
Defines a group. The comma separated values are usernames, remember that since we have configured the integrated authentication the username should be a domain username.
The [myRepository:/] section
Defines permissions for a repository. The form is [respositoryName:path], the path is used when more granular permissions are desired (e.g. permissions for an specific branch or feature).
@administrators: indicates that the permissions are assigned to a group.
sally= indicates that the permissions are only assigned to user sally.
Values for the permissions
| Value | Meaning |
| r | read |
| w | write |
| rw | read and write |
| no permissions |
NOTE: When a user or group is not mentioned below a repository section it won’t get access of any type.
Further Reading
These are useful links that helped when doing this:
- http://www-unix.mcs.anl.gov/~gawor/ldap/applet/applet.html
- http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
- http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html
- http://www.debianhelp.co.uk/apachead.htm
thanks,
~johnny