I just finished setting up subversion server running on CentOS. In addition to having subversion respositories, I have few other requirements which includes:
- Ability to browse repositories using a web browser
- Acccess to repositories using WebDAV
- Repositories access should be protected and authentication/authorization should be done using Active Directory
First, I was looking at using TRAC which provides most of the above and some extra features (project management and bug/issue tracking). But we already have other project management (dotProject) and bug/issue tracking (Mantis) softwares in place and TRAC doesn’t seems like very straight forward to install and configure. So, I started looking at alternatives and there isn’t much out there in form of once package which can provide all of the above.
The solution which we ended up building is running on CentOS operating system, WebSVN and other dependency libraries. I ran into some issues while setting up the solution and went through number of articles and KBs available on Internet. Almost spent whole day on this and thought it might be useful for others if I put all the info in one article.
Target is to have a setup where we can browse all the repositories using WebSVN with URL
Each of the repository should be accessible using a URL which looks like
Historically, I liked RedHat/Fedora (may be because first distribution I started working with was RedHat 5.x) but over the years I started liking Debain (and all other distros built on debian). For this project, I picked up CentOS which is well respected in enterprises for its stability and free alternative to OpenSuse Enterprised or Redhat Enterprise. The latest release out there as of writing this article is CentOS 5.3 so thats what I used.
Install CentOS with default partition and make sure you have web server (http package) with PHP support installed. Once the installation is finished and you are logged in as root, I suggest that you install the latest updates by running
Install subversion and mod_dav_svn packages
yum install subversion mod_dav_svn enscript php-ldap
enscript package is used by WebSVN for code highlighting and formatting.
Active Directory/LDAP Configuration
If your LDAP deployment doesn’t support anonymous bind, create a user in LDAP which can be used to bind and perform queries. By default, anonymous LDAP operations, except rootDSE searches and binds are not permitted on Windows 2003 domain controllers. As my deployment involves Windows 2003 based domain controller, I created a user named ‘LDAP User‘ (Logon Name ‘ldapuser‘) in Users container.
Before proceeding with rest of the setup, its a good idea to test the bind using the user which will be used for binding and search queries. I used a free utility available from Softerra named LDAP Browser which is available for free download at:
In rest of the setup, I will use imaginary domain called domain.example.com. My user principal name will be firstname.lastname@example.org and the distinguished name for the same will be
CN=LDAP User,CN=Users,DC=domain,DC=example,DC=com. The FQDN for active directory domain server is adserver.domain.example.com.
Create a directory which will hold the SVN repositories. I used /srv/svn for this purpose
mkdir -p /srv/svn
Next, download the latest WebSVN package from http://www.websvn.info
cd ~ wget http://websvn.tigris.org/files/documents/1380/45918/websvn-2.2.1.tar.gz tar zxvf websvn-2.2.1.tar.gz
(Note: replace the URL with path to latest release of websvn in above command line)
Instead of extracting websvn package to default root of apache web server under /var/www/html, I created a new directory to host this package
mkdir -p /var/www/websvn cp -ar ~/websvn-2.2.1/* /var/www/websvn
Next, create an alias for this directory in apache configuration. Create a file in /etc/httpd/conf.d
and add the following lines to this file
Alias /websvn /var/www/websvn AuthBasicProvider ldap AuthType Basic AuthzLDAPAuthoritative off AuthName "Subversion Repository Web Browsing" AuthLDAPURL "ldap://adserver.domain.example.com:3268/DC=domain,DC=example s,DC=com?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN "CN=LDAP User,CN=Users,DC=domain,DC=example,DC=com" AuthLDAPBindPassword MakeItSecurePassword require valid-user
Replace the AuthLDAPURL with correct URL according to your environment. Also, modify the AuthLDAPBindDN and AuthLDAPBindPassword according to your user which will be used for binding.
If you are using LDAP server instead of Active Directory server, replace the port number 3268 with 389. Port 3268 is used by Active Directory Global Catalog. The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest. Using port 389 for some reason didn’t work for authentication.
In AuthLDAPURL, the last word NONE serves the following purpose:
stablish an unsecure connection on the default LDAP port.
Establish a secure connection on the default secure LDAP port.
Establish an upgraded secure connection on the default LDAP port.
Next, create the new configuration file for WebSVN from default configuration files ships with the package.
cd /var/www/websvn/include cp distconfig.php config.php
You can edit the config.php file according to your environment. For every repository, you have add the parent path to directory which holds the repositories. In my case, /srv/svn is the directory which will hold all the repositories so I added the below line to config.php
In addition to above, I added the below lines to config.php for syntax highlighting.
$extEnscript[".pl"] = "perl"; $extEnscript[".py"] = "python"; $extEnscript[".sql"] = "sql"; $extEnscript[".java"] = "java"; $extEnscript[".html"] = "html"; $extEnscript[".xml"] = "html"; $extEnscript[".thtml"] = "html"; $extEnscript[".tpl"] = "html"; $extEnscript[".sh"] = "bash";
Restart the apache service for changes to take effect
service httpd restart
Lets create a repository which we can use for testing.
svnadmin create --fs-type fsfs /srv/svn/sandbox
Try accessing the alias using the URL http://<hostname>/websvn and if things work out good, you should have access to your repositories through WebSVN interface.
Configuring WebDAV access for subversion requires mod_dav_svn module which we already installed in previous steps. Installing mod_dav_svn RPM also creates configuration file subversion.conf under /etc/httpd/conf.d directory.
To use WebDAV for SVN repositories, repository directory should be owned by web server user (apache). Change the ownership of our test SVN repository to apache user
chown -R apache.apache /srv/svn/sandbox
Next, edit subversion.conf file and
add the following lines.
DAV svn SVNPath /srv/svn/sandbox AuthBasicProvider ldap AuthType Basic AuthzLDAPAuthoritative off AuthName "Subversion Repository Access" AuthLDAPURL "ldap://adserver.domain.example.com:3268/DC=domain,DC=example s,DC=com?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN "CN=LDAP User,CN=Users,DC=domain,DC=example,DC=com" AuthLDAPBindPassword MakeItSecurePassword require valid-user require ldap-group CN=Developer Group,OU=Users,DC=domain,DC=example,DC=com
LimitExcept directive controls the access to repository and define if the user can write to this repository or not. In the above case, any user belongs to active directory group ‘Developer Group‘ can read and write from/to this repository.
Lets, restart the apache service for changes to take effect
service httpd restart
Browse to the repository using below URL
If you want give access to all the repositories held under /srv/svn, replace the below lines
DAV svn SVNPath /srv/svn/sandbox
DAV svn SVNParentPath /srv/svn/nappliance SVNListParentPath on