A longer term project of mine has been the installation and maintenance of our company subversion and Trac server. The main thing I wanted to implement was authentication against our current AD infrastructure and in doing so, allow our Service Desk to give access to repositories through group membership.
To start with, I have the config files structured so there is a blanket authentication requirement to access any repository. I do require SSL for all of the repos.
So in my /etc/httpd/conf.d/subversion.conf:
LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so AuthBasicProvider ldap AuthType Basic AuthzLDAPAuthoritative off AuthName "Subversion server" AuthLDAPURL "ldap://server.domain.com:389/OU=Users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN "CN=ldapuser,CN=Users,DC=domain,DC=com" AuthLDAPBindPassword MahPassword! require valid-user include conf.d/svn/*.conf |
As you can see, from the subversion.conf file I include more .conf files located in the conf.d/svn directory. Each repo has its own conf file. I prefer this method over one large file because it allows me to take a single repo offline easily.
My first repo is a user sandbox area. All users have read/write permissions and maintain their own directories. The only access that is required is a valid AD account.
####################
# Users Repository #
####################
# This repo is readable/writable by all employees
<Location "/svn/users">
DAV svn
SVNPath /svn/repositories/users
SSLRequireSSL
</Location> |
The next is a basic readable to all employees, but write access requires special group membership.
##################
# Project1 repo #
##################
# Read - world
# Write - SVN_Project1_RW
<Location "/svn/project1">
DAV svn
SVNPath /svn/repositories/project1
SSLRequireSSL
# Write access
<LimitExcept GET PROPFIND OPTIONS REPORT>
require ldap-group CN=SVN_Project1_RW,OU=Users,DC=domain,DC=com
</LimitExcept>
</Location> |
Next is a repository that I want to control both read and write access. Notice that each Limit block controls a specific permission. So to give a group write access, you have to also give them read.
##################
# Project2 repo #
##################
# Read - SVN_Project2_RO
# Write - SVN_Project2_RW
<Location "/svn/Project2">
DAV svn
SVNPath /svn/repositories/project2
SSLRequireSSL
# Read
<Limit GET PROPFIND OPTIONS REPORT>
require ldap-group CN=SVN_Project2_RO,OU=Users,DC=domain,DC=com
require ldap-group CN=SVN_Project2_RW,OU=Users,DC=domain,DC=com
</Limit>
# Write access
<LimitExcept GET PROPFIND OPTIONS REPORT>
require ldap-group CN=SVN_Project2_RW,OU=Users,DC=domain,DC=com
</LimitExcept>
</Location> |
line
