Harpreet Dhillon’s Blog

12Jul/094

Subversion with WebSVN, WebDAV and Active Directory or LDAP Authentication

I just finished setting up subversion server running on CentOS. In addition to having subversion respositories, I have few other requirements which includes:

  • Ability to browse repositories using a web browser
  • Acccess to repositories using WebDAV
  • Repositories access should be protected and authentication/authorization should be done using Active Directory

First, I was looking at using TRAC which provides most of the above and some extra features (project management and bug/issue tracking). But we already have other project management (dotProject) and bug/issue tracking (Mantis) softwares in place and TRAC doesn't seems like very straight forward to install and configure. So, I started looking at alternatives and there isn't much out there in form of once package which can provide all of the above.

The solution which we ended up building is running on CentOS operating system, WebSVN and other dependency libraries. I ran into some issues while setting up the solution and went through number of articles and KBs available on Internet. Almost spent whole day on this and thought it might be useful for others if I put all the info in one article.

Target is to have a setup where we can browse all the repositories using WebSVN with URL

http://<hostname>/websvn

Each of the repository should be accessible using a URL which looks like
http://<hostname>/<repository name>

Installing/Configuring CentOS

Historically, I liked RedHat/Fedora (may be because first distribution I started working with was RedHat 5.x) but over the years I started liking Debain (and all other distros built on debian). For this project, I picked up CentOS which is well respected in enterprises for its stability and free alternative to OpenSuse Enterprised or Redhat Enterprise. The latest release out there as of writing this article is CentOS 5.3 so thats what I used.

Install CentOS with default partition and make sure you have web server (http package) with PHP support installed. Once the installation is finished and you are logged in as root, I suggest that you install the latest updates by running

yum update

Install subversion and mod_dav_svn packages

yum install subversion mod_dav_svn enscript php-ldap

enscript package is used by WebSVN for code highlighting and formatting.

Active Directory/LDAP Configuration

If your LDAP deployment doesn't support anonymous bind, create a user in LDAP which can be used to bind and perform queries. By default, anonymous LDAP operations, except rootDSE searches and binds are not permitted on Windows 2003 domain controllers. As my deployment involves Windows 2003 based domain controller, I created a user named 'LDAP User' (Logon Name 'ldapuser') in Users container.

Before proceeding with rest of the setup, its a good idea to test the bind using the user which will be used for binding and search queries. I used a free utility available from Softerra named LDAP Browser which is available for free download at:
http://www.softerra.com/download.htm

In rest of the setup, I will use imaginary domain called domain.example.com. My user principal name will be ldapuser@domain.example.com and the distinguished name for the same will be
CN=LDAP User,CN=Users,DC=domain,DC=example,DC=com. The FQDN for active directory domain server is adserver.domain.example.com.

WebSVN Configuration

Create a directory which will hold the SVN repositories. I used /srv/svn for this purpose

mkdir -p /srv/svn

Next, download the latest WebSVN package from http://www.websvn.info

cd ~
wget http://websvn.tigris.org/files/documents/1380/45918/websvn-2.2.1.tar.gz
tar zxvf websvn-2.2.1.tar.gz

(Note: replace the URL with path to latest release of websvn in above command line)
Instead of extracting websvn package to default root of apache web server under /var/www/html, I created a new directory to host this package

mkdir -p /var/www/websvn
cp -ar ~/websvn-2.2.1/* /var/www/websvn

Next, create an alias for this directory in apache configuration. Create a file in /etc/httpd/conf.d

vim /etc/httpd/conf.d/websvn.conf

and add the following lines to this file

Alias /websvn /var/www/websvn
 
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Subversion Repository Web Browsing"
AuthLDAPURL "ldap://adserver.domain.example.com:3268/DC=domain,DC=example
s,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "CN=LDAP User,CN=Users,DC=domain,DC=example,DC=com"
AuthLDAPBindPassword MakeItSecurePassword
 
require valid-user

Replace the AuthLDAPURL with correct URL according to your environment. Also, modify the AuthLDAPBindDN and AuthLDAPBindPassword according to your user which will be used for binding.

Note:
If you are using LDAP server instead of Active Directory server, replace the port number 3268 with 389. Port 3268 is used by Active Directory Global Catalog. The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest. Using port 389 for some reason didn't work for authentication.

Note:
In AuthLDAPURL, the last word NONE serves the following purpose:

NONE
stablish an unsecure connection on the default LDAP port.

SSL
Establish a secure connection on the default secure LDAP port.

TLS/STARTTLS
Establish an upgraded secure connection on the default LDAP port.

Next, create the new configuration file for WebSVN from default configuration files ships with the package.

cd /var/www/websvn/include
cp distconfig.php config.php

You can edit the config.php file according to your environment. For every repository, you have add the parent path to directory which holds the repositories. In my case, /srv/svn is the directory which will hold all the repositories so I added the below line to config.php

$config-&gt;parentPath('/srv/svn/');

In addition to above, I added the below lines to config.php for syntax highlighting.

$extEnscript[".pl"] = "perl";
$extEnscript[".py"] = "python";
$extEnscript[".sql"] = "sql";
$extEnscript[".java"] = "java";
$extEnscript[".html"] = "html";
$extEnscript[".xml"] = "html";
$extEnscript[".thtml"] = "html";
$extEnscript[".tpl"] = "html";
$extEnscript[".sh"] = "bash";

Restart the apache service for changes to take effect

service httpd restart

Lets create a repository which we can use for testing.

svnadmin create --fs-type fsfs /srv/svn/sandbox

Try accessing the alias using the URL http://<hostname>/websvn and if things work out good, you should have access to your repositories through WebSVN interface.

Configuring WebDAV

Configuring WebDAV access for subversion requires mod_dav_svn module which we already installed in previous steps. Installing mod_dav_svn RPM also creates configuration file subversion.conf under /etc/httpd/conf.d directory.
To use WebDAV for SVN repositories, repository directory should be owned by web server user (apache). Change the ownership of our test SVN repository to apache user

chown -R apache.apache /srv/svn/sandbox

Next, edit subversion.conf file and

vim /etc/httpd/conf.d/subversion.conf

add the following lines.

        DAV svn
        SVNPath /srv/svn/sandbox
 
        AuthBasicProvider ldap
        AuthType Basic
        AuthzLDAPAuthoritative off
        AuthName "Subversion Repository Access"
        AuthLDAPURL "ldap://adserver.domain.example.com:3268/DC=domain,DC=example
s,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
        AuthLDAPBindDN "CN=LDAP User,CN=Users,DC=domain,DC=example,DC=com"
        AuthLDAPBindPassword MakeItSecurePassword
 
        require valid-user
 
                require ldap-group CN=Developer Group,OU=Users,DC=domain,DC=example,DC=com

LimitExcept directive controls the access to repository and define if the user can write to this repository or not. In the above case, any user belongs to active directory group 'Developer Group' can read and write from/to this repository.

Lets, restart the apache service for changes to take effect

service httpd restart

Browse to the repository using below URL
http://<hostname>/sandbox

If you want give access to all the repositories held under /srv/svn, replace the below lines

        DAV svn
        SVNPath /srv/svn/sandbox

with

        DAV svn
        SVNParentPath /srv/svn/nappliance
        SVNListParentPath on

Comments (4) Trackbacks (0)
  1. Great write up. This helped a lot. Just a quick question. What was the purpose of installing MySQL?

  2. Thanks Jason,
    I installed MySQL as I was also going to run matisbt as another virtual host on this server. For the scope of this article in regards to SVN and WebSVN, you won’t need it. I will revise the article and will take it out to avoid confusion for other readers :)

  3. Hi Harpreet thanks for intention to help others through your blog.I am using centos 5.I followed your step till creating websvn.conf file under your blog section(ldap integration).Please let me know where i am wrong.

    When i restarted apache i get the error

    Starting httpd: Syntax error on line 3 of /etc/httpd/conf.d/websvn.conf:
    AuthBasicProvider not allowed here
    [FAILED]

    Alias /websvn/ “/var/www/websvn/”

    AuthBasicProvider “ldap”
    AuthType Basic
    AuthzLDAPAuthoritative off
    AuthName “Subversion Repository Web Browsing”
    AuthLDAPURL “ldap://srv.xyz.com:389/DC=xyz,DC=com?sAMAccountName?sub?(objectClass=*)” NONE
    AuthLDAPBindDN “CN=svnldap,CN=Users,DC=xyz,DC=com”
    AuthLDAPBindPassword “eqa01234″

    require valid-user

    I have loaded the ldap module.Can you please help me in this.Thanks.

  4. Hello Fizeen,

    It seems to be related to ldap module. What you see in apache error log? Can you get me the related messages from apache error logs related ldap authentication?

    Also, double check your AuthLDAPURL to make sure there is no typo.


Leave a comment


*

No trackbacks yet.