I just finished setting up subversion server running on CentOS. In addition to having subversion respositories, I have few other requirements which includes:
- Ability to browse repositories using a web browser
- Acccess to repositories using WebDAV
- Repositories access should be protected and authentication/authorization should be done using Active Directory
First, I was looking at using TRAC which provides most of the above and some extra features (project management and bug/issue tracking). But we already have other project management (dotProject) and bug/issue tracking (Mantis) softwares in place and TRAC doesn’t seems like very straight forward to install and configure. So, I started looking at alternatives and there isn’t much out there in form of once package which can provide all of the above.
The solution which we ended up building is running on CentOS operating system, WebSVN and other dependency libraries. I ran into some issues while setting up the solution and went through number of articles and KBs available on Internet. Almost spent whole day on this and thought it might be useful for others if I put all the info in one article.
Target is to have a setup where we can browse all the repositories using WebSVN with URL
http://<hostname>/websvn
Each of the repository should be accessible using a URL which looks like
http://<hostname>/<repository name>
Installing/Configuring CentOS
Historically, I liked RedHat/Fedora (may be because first distribution I started working with was RedHat 5.x) but over the years I started liking Debain (and all other distros built on debian). For this project, I picked up CentOS which is well respected in enterprises for its stability and free alternative to OpenSuse Enterprised or Redhat Enterprise. The latest release out there as of writing this article is CentOS 5.3 so thats what I used.
Install CentOS with default partition and make sure you have web server (http package) with PHP support installed. Once the installation is finished and you are logged in as root, I suggest that you install the latest updates by running
|
1 |
yum update |
Install subversion and mod_dav_svn packages
|
1 |
yum install subversion mod_dav_svn enscript php-ldap |
enscript package is used by WebSVN for code highlighting and formatting.
Active Directory/LDAP Configuration
If your LDAP deployment doesn’t support anonymous bind, create a user in LDAP which can be used to bind and perform queries. By default, anonymous LDAP operations, except rootDSE searches and binds are not permitted on Windows 2003 domain controllers. As my deployment involves Windows 2003 based domain controller, I created a user named ‘LDAP User‘ (Logon Name ‘ldapuser‘) in Users container.
Before proceeding with rest of the setup, its a good idea to test the bind using the user which will be used for binding and search queries. I used a free utility available from Softerra named LDAP Browser which is available for free download at:
http://www.softerra.com/download.htm
In rest of the setup, I will use imaginary domain called domain.example.com. My user principal name will be ldapuser@domain.example.com and the distinguished name for the same will be
CN=LDAP User,CN=Users,DC=domain,DC=example,DC=com. The FQDN for active directory domain server is adserver.domain.example.com.
WebSVN Configuration
Create a directory which will hold the SVN repositories. I used /srv/svn for this purpose
|
1 |
mkdir -p /srv/svn |
Next, download the latest WebSVN package from http://www.websvn.info
|
1 2 3 |
cd ~ wget http://websvn.tigris.org/files/documents/1380/45918/websvn-2.2.1.tar.gz tar zxvf websvn-2.2.1.tar.gz |
(Note: replace the URL with path to latest release of websvn in above command line)
Instead of extracting websvn package to default root of apache web server under /var/www/html, I created a new directory to host this package
|
1 2 |
mkdir -p /var/www/websvn cp -ar ~/websvn-2.2.1/* /var/www/websvn |
Next, create an alias for this directory in apache configuration. Create a file in /etc/httpd/conf.d
|
1 |
vim /etc/httpd/conf.d/websvn.conf |
and add the following lines to this file
|
1 2 3 4 5 6 7 8 9 10 11 12 |
Alias /websvn /var/www/websvn AuthBasicProvider ldap AuthType Basic AuthzLDAPAuthoritative off AuthName "Subversion Repository Web Browsing" AuthLDAPURL "ldap://adserver.domain.example.com:3268/DC=domain,DC=example s,DC=com?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN "CN=LDAP User,CN=Users,DC=domain,DC=example,DC=com" AuthLDAPBindPassword MakeItSecurePassword require valid-user |
Replace the AuthLDAPURL with correct URL according to your environment. Also, modify the AuthLDAPBindDN and AuthLDAPBindPassword according to your user which will be used for binding.
Note:
If you are using LDAP server instead of Active Directory server, replace the port number 3268 with 389. Port 3268 is used by Active Directory Global Catalog. The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest. Using port 389 for some reason didn’t work for authentication.
Note:
In AuthLDAPURL, the last word NONE serves the following purpose:NONE
stablish an unsecure connection on the default LDAP port.SSL
Establish a secure connection on the default secure LDAP port.TLS/STARTTLS
Establish an upgraded secure connection on the default LDAP port.
Next, create the new configuration file for WebSVN from default configuration files ships with the package.
|
1 2 |
cd /var/www/websvn/include cp distconfig.php config.php |
You can edit the config.php file according to your environment. For every repository, you have add the parent path to directory which holds the repositories. In my case, /srv/svn is the directory which will hold all the repositories so I added the below line to config.php
|
1 |
$config->parentPath('/srv/svn/'); |
In addition to above, I added the below lines to config.php for syntax highlighting.
|
1 2 3 4 5 6 7 8 9 |
$extEnscript[".pl"] = "perl"; $extEnscript[".py"] = "python"; $extEnscript[".sql"] = "sql"; $extEnscript[".java"] = "java"; $extEnscript[".html"] = "html"; $extEnscript[".xml"] = "html"; $extEnscript[".thtml"] = "html"; $extEnscript[".tpl"] = "html"; $extEnscript[".sh"] = "bash"; |
Restart the apache service for changes to take effect
|
1 |
service httpd restart |
Lets create a repository which we can use for testing.
|
1 |
svnadmin create --fs-type fsfs /srv/svn/sandbox |
Try accessing the alias using the URL http://<hostname>/websvn and if things work out good, you should have access to your repositories through WebSVN interface.
Configuring WebDAV
Configuring WebDAV access for subversion requires mod_dav_svn module which we already installed in previous steps. Installing mod_dav_svn RPM also creates configuration file subversion.conf under /etc/httpd/conf.d directory.
To use WebDAV for SVN repositories, repository directory should be owned by web server user (apache). Change the ownership of our test SVN repository to apache user
|
1 |
chown -R apache.apache /srv/svn/sandbox |
Next, edit subversion.conf file and
|
1 |
vim /etc/httpd/conf.d/subversion.conf |
add the following lines.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
DAV svn SVNPath /srv/svn/sandbox AuthBasicProvider ldap AuthType Basic AuthzLDAPAuthoritative off AuthName "Subversion Repository Access" AuthLDAPURL "ldap://adserver.domain.example.com:3268/DC=domain,DC=example s,DC=com?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN "CN=LDAP User,CN=Users,DC=domain,DC=example,DC=com" AuthLDAPBindPassword MakeItSecurePassword require valid-user require ldap-group CN=Developer Group,OU=Users,DC=domain,DC=example,DC=com |
LimitExcept directive controls the access to repository and define if the user can write to this repository or not. In the above case, any user belongs to active directory group ‘Developer Group‘ can read and write from/to this repository.
Lets, restart the apache service for changes to take effect
|
1 |
service httpd restart |
Browse to the repository using below URL
http://<hostname>/sandbox
If you want give access to all the repositories held under /srv/svn, replace the below lines
|
1 2 |
DAV svn SVNPath /srv/svn/sandbox |
with
|
1 2 3 |
DAV svn SVNParentPath /srv/svn/nappliance SVNListParentPath on |
Great write up. This helped a lot. Just a quick question. What was the purpose of installing MySQL?
Thanks Jason,
I installed MySQL as I was also going to run matisbt as another virtual host on this server. For the scope of this article in regards to SVN and WebSVN, you won’t need it. I will revise the article and will take it out to avoid confusion for other readers 🙂
Hi Harpreet thanks for intention to help others through your blog.I am using centos 5.I followed your step till creating websvn.conf file under your blog section(ldap integration).Please let me know where i am wrong.
When i restarted apache i get the error
Starting httpd: Syntax error on line 3 of /etc/httpd/conf.d/websvn.conf:
AuthBasicProvider not allowed here
[FAILED]
Alias /websvn/ “/var/www/websvn/”
AuthBasicProvider “ldap”
AuthType Basic
AuthzLDAPAuthoritative off
AuthName “Subversion Repository Web Browsing”
AuthLDAPURL “ldap://srv.xyz.com:389/DC=xyz,DC=com?sAMAccountName?sub?(objectClass=*)” NONE
AuthLDAPBindDN “CN=svnldap,CN=Users,DC=xyz,DC=com”
AuthLDAPBindPassword “eqa01234”
require valid-user
I have loaded the ldap module.Can you please help me in this.Thanks.
Hello Fizeen,
It seems to be related to ldap module. What you see in apache error log? Can you get me the related messages from apache error logs related ldap authentication?
Also, double check your AuthLDAPURL to make sure there is no typo.