A longer term project of mine has been the installation and maintenance of our company subversion and Trac server. The main thing I wanted to implement was authentication against our current AD infrastructure and in doing so, allow our Service Desk to give access to repositories through group membership.
To start with, I have the config files structured so there is a blanket authentication requirement to access any repository. I do require SSL for all of the repos.
So in my /etc/httpd/conf.d/subversion.conf:
LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so AuthBasicProvider ldap AuthType Basic AuthzLDAPAuthoritative off AuthName "Subversion server" AuthLDAPURL "ldap://server.domain.com:389/OU=Users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN "CN=ldapuser,CN=Users,DC=domain,DC=com" AuthLDAPBindPassword MahPassword! require valid-user include conf.d/svn/*.conf |
As you can see, from the subversion.conf file I include more .conf files located in the conf.d/svn directory. Each repo has its own conf file. I prefer this method over one large file because it allows me to take a single repo offline easily.
My first repo is a user sandbox area. All users have read/write permissions and maintain their own directories. The only access that is required is a valid AD account.
#################### # Users Repository # #################### # This repo is readable/writable by all employees <Location "/svn/users"> DAV svn SVNPath /svn/repositories/users SSLRequireSSL </Location> |
The next is a basic readable to all employees, but write access requires special group membership.
################## # Project1 repo # ################## # Read - world # Write - SVN_Project1_RW <Location "/svn/project1"> DAV svn SVNPath /svn/repositories/project1 SSLRequireSSL # Write access <LimitExcept GET PROPFIND OPTIONS REPORT> require ldap-group CN=SVN_Project1_RW,OU=Users,DC=domain,DC=com </LimitExcept> </Location> |
Next is a repository that I want to control both read and write access. Notice that each Limit block controls a specific permission. So to give a group write access, you have to also give them read.
################## # Project2 repo # ################## # Read - SVN_Project2_RO # Write - SVN_Project2_RW <Location "/svn/Project2"> DAV svn SVNPath /svn/repositories/project2 SSLRequireSSL # Read <Limit GET PROPFIND OPTIONS REPORT> require ldap-group CN=SVN_Project2_RO,OU=Users,DC=domain,DC=com require ldap-group CN=SVN_Project2_RW,OU=Users,DC=domain,DC=com </Limit> # Write access <LimitExcept GET PROPFIND OPTIONS REPORT> require ldap-group CN=SVN_Project2_RW,OU=Users,DC=domain,DC=com </LimitExcept> </Location> |
line