• Tweet

• Tweet

Subversion ADS Authentication with Apache

More and more companies are using directory services for housing their user credentials and information. Example directory services are Active Directory, eDirectory and OpenLDAP.

How does this relate to Subversion? Well, in the enterprise deployments I’ve been involved with, most clients wanted to harness their existing directory services for their Subversion authentication. This document will provide the instruction on how to make apache use Windows AD Services for authentication. These steps have been tried and tested on RHEL 4 AS. Compilation and installation steps may differ from unix to unix.

This document is just to help and get started with apache and ADS configuration.

As of now, the only way to utilize your directory service for authentication is by using Apache as your network layer. This allows you to use any of the available authentication options to Apache for your Subversion authentication and with mod_auth_ldap, Apache can authenticate against your directory service for Subversion.

We will see this in both ways i.e.

RPM Installation: For the impatient persons and where quick turn around time needed.

Manual Installation: For the person who love compiling from source.

Providing web GUI for svn over web.

List of Clients for Subversion.

RPM Installation

This section is for impatient person. And for the person who need to provide quick implementation in organistaion.

• Download and install Latest Apr Package.
• Download and install Latest Apr-Utils Package.
• Download and install Apache 2.x Package.
• Download and install Latest Subversion Package.
• Download and install Latest mod_dav_svn Package this provides mod_dav_svn.so and mod_authz_svn.so module for Apache.
• Create SVN Repository.(Creating SVN Repository)
• Create subvsersion.conf file in /etc/httpd/conf.d (Again will differ from unix to unix and distro to distro).

• Add following For AD and save the file.

<Location /repo>
#Enable Subversion
Dav svn

#Directory containing the repository
SVNPath /path/of/repo
SVNPathAuthz off

#LDAP Authentication & Authorization is final; do not check other databases
AuthBasicAuthoritative On

#Do basic password authentication in the clear
AuthType Basic
AuthzSVNAccessFile /path/of/authzfile

#The name of the protected area or "realm"
AuthName "Some Name"

#Active Directory requires an authenticating DN to access records
#This is the DN used to bind to the directory service
#This is an Active Directory user account
AuthLDAPBindDN "CN=administrator,CN=Users,DC=domain,DC=com"

#This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword adminpass

# The LDAP query URL
# Format: scheme://host:port/basedn?attribute?scope?filter
# The URL below will search for all objects recursively below the basedn
# and validate against the sAMAccountName attribute
AuthLDAPURL "ldap://ld.ap.url:389/OU=Users,OU=[parentOU],DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"

#Require authentication for this Location
Require valid-user
</Location>

• Add following For LDAP and save the file.

<Location /repos/>
#Enable Subversion
Dav svn

#Directory containing the repository
SVNParentPath /path/of/repo
SVNPathAuthz off

#LDAP Authentication & Authorization is final; do not check other databases
AuthBasicProvider ldap
AuthBasicAuthoritative off
AuthzSVNAccessFile /path/of/authzfile

#Do basic password authentication in the clear
AuthType basic

#The name of the protected area or "realm"
AuthName "Some name"

# The LDAP query URL
# Format: scheme://host:port/basedn?attribute?scope?filter
# The URL below will search for all objects recursively below the basedn
# and validate against the sAMAccountName attribute
AuthLDAPURL "ldap://ld.ap.url:389/ou=People,dc=domain,dc=com?uid?sub?(objectClass=*)"

#Active Directory requires an authenticating DN to access records
#This is the DN used to bind to the directory service
#This is an Active Directory user account
AuthLDAPBindDN "CN=manager,DC=domain,DC=com">
#This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword adminpass

#Require authentication for this Location
Require ldap-user
</Location>

• Start Apache with following command

/etc/init.d/httpd start

Manual Installation

In this section we will compile packages from source and install. Compiling from source helps us to install the packages in the location we need.

• Download source of APR from here. And follow these steps.

  # tar -zxvf apr-version.tar.gz
# cd apr-version
# ./configure
# make
# make install

• Download source of APR Utils from APR from here. And follow these steps.

 # tar -zxvf apr-util-version.tar.gz
 # cd apr-util-version
 # ./configure
 # make
 # make install

• Download source of subversion from here. And follow these steps.

 # tar -zxvf subversion-version.tar.gz
 # cd subversion-version
 # ./configure --with-apr=/path/to/apr/instalation --with-apr-util=/path/to/apr-util/installation
 # make
 # make install

• Download apache from here. And compile it with Ldap, SSL and proxy support for SVN access with ADS authentication.

 # tar -zxvf httpd-version.tar.gz
 # cd httpd-version
 # ./configure --prefix=PREFIX --enable-modules=all --enable-mods-shared=most --enable-module=ldap authnz_ldap ssl proxy 
--enable-mods-shared=ldap authnz_ldap ssl proxy --with-apr=/path/to/apr/instalation --with-apr-util=/path/to/apr-util/installation
 # make all
 # make install

• Now we will compile svn modules for apache. Go back to source of subversion and follow these steps.

 # ./configure --with-apxs=/path/to/apache2/bin/apxs
 # rm /usr/local/lib/libsvn*
 # make clean && make && make install

After the make install, the Subversion shared libraries are in /usr/local/lib/. mod_dav_svn.so should be installed in /path/to/apache/modules/.

• Now edit httpd.conf located in /path/to/apache/conf/ and add following lines and save the file.

LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so

• Create SVN Repository.(Creating SVN Repository)
• Edit httpd.conf.

• Add following For AD and save the file.

<Location /repo>
#Enable Subversion
Dav svn

#Directory containing the repository
SVNPath /path/of/repo
SVNPathAuthz off

#LDAP Authentication & Authorization is final; do not check other databases
AuthBasicAuthoritative On

#Do basic password authentication in the clear
AuthType Basic
AuthzSVNAccessFile /path/of/authzfile

#The name of the protected area or "realm"
AuthName "Some Name"

#Active Directory requires an authenticating DN to access records
#This is the DN used to bind to the directory service
#This is an Active Directory user account
AuthLDAPBindDN "CN=administrator,CN=Users,DC=domain,DC=com"

#This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword adminpass

# The LDAP query URL
# Format: scheme://host:port/basedn?attribute?scope?filter
# The URL below will search for all objects recursively below the basedn
# and validate against the sAMAccountName attribute
AuthLDAPURL "ldap://ld.ap.url:389/OU=Users,OU=[parentOU],DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"

#Require authentication for this Location
Require valid-user
</Location>

• Add following For LDAP and save the file.

<Location /repos/>
#Enable Subversion
Dav svn

#Directory containing the repository
SVNParentPath /path/of/repo
SVNPathAuthz off

#LDAP Authentication & Authorization is final; do not check other databases
AuthBasicProvider ldap
AuthBasicAuthoritative off
AuthzSVNAccessFile /path/of/authzfile

#Do basic password authentication in the clear
AuthType basic

#The name of the protected area or "realm"
AuthName "Some name"

# The LDAP query URL
# Format: scheme://host:port/basedn?attribute?scope?filter
# The URL below will search for all objects recursively below the basedn
# and validate against the sAMAccountName attribute
AuthLDAPURL "ldap://ld.ap.url:389/ou=People,dc=domain,dc=com?uid?sub?(objectClass=*)"

#Active Directory requires an authenticating DN to access records
#This is the DN used to bind to the directory service
#This is an Active Directory user account
AuthLDAPBindDN "CN=manager,DC=domain,DC=com">
#This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword adminpass

#Require authentication for this Location
Require ldap-user
</Location>

• Start Apache with following command

/path/to/apache/bin/apachectl start

Use the in-line comments in the code above to better understand the Apache configuration directives for mod_auth_ldap. With the above example (which you need to modify for your environment) you can have Apache authenticate your Subversion users against your Active Directory directory service. The above will also work for other directory services but with minor modifications in the AuthLDAPURL.

Providing web GUI for svn over web

Now we have installed SVN and Apache. We need to provide web interface to the users who will be access the repository from outside office network i.e. over the internet. For this we need to install Java, Tomcat and Polarion’s svnwebclient. So here we will see the steps to do that.

• Download and install Java Runtime Environment from here. Once done we need to set environment variable JAVA_HOME to do this create java.sh file in /etc/profile.d with following content.

JAVA_HOME=/usr/local/java
export JAVA_HOME

Once file is created run “. /etc/profile” on command prompt.

• Download tomcat from here. Now run the following command.

# cd /usr/local/
# tar -zxvf /path/to/tomcat-version.tar.gz

• Download Polarion’s svnwebclient from here. Now run following command.

# tar -zxvf svnwebclient-version.tar.gz
# cd svnwebclient-version
# cp svnwebclient.war /usr/local/tomcat/webapps/
# cd /usr/local/tomcat/bin/
# ./catalina.sh start

• Now go to WEB-INF folder of svnwebclient using following comand “cd /path/to/tomcat/webapps/svnwebclient/WEB-INF/”
• Open web.xml in you favourite editor.

Change

<context-param>
<param-name>RepositoryUrl</param-name>
<param-value>http://localhost/repos</param-value>
</context-param>

to

<context-param>
<param-name>RepositoryUrl</param-name>
<param-value>http://svn.server.ip.address/reponame</param-value>
</context-param>

Change

<context-param>
<param-name>Username</param-name>
<param-value>user</param-value>
</context-param>

to

<context-param>
<param-name>Username</param-name>
<param-value>someADSuser</param-value>
</context-param>

Change

<context-param>
<param-name>Password</param-name>
<param-value>pass</param-value>
</context-param>

to

<context-param>
<param-name>Password</param-name>
<param-value>userpassword</param-value>
</context-param>

NOTE: make sure that password of the user used in here never expires.

Save the file.

• Now restart tomcat service with following command.

# cd /usr/local/tomcat/bin
# ./catalina.sh stop
# ./catalina.sh start

• Go to http://ser.ver.IP.address:8080/svnwebclient/ and login with ADS username and passwd who has access to repository. (If you don’t want to use port 8080 and want it to be served via Apache you can Integrate Apache and Tomcat)

List of Clients for Subversion

List of SVN Clients for different OS:

• TORTOISE SVN for Windows can be downloaded from here.
• SVNX for MAC can be downloaded from here