Subversion/Apache with Active Directory authentication

A longer term project of mine has been the installation and maintenance of our company subversion and Trac server. The main thing I wanted to implement was authentication against our current AD infrastructure and in doing so, allow our Service Desk to give access to repositories through group membership.


To start with, I have the config files structured so there is a blanket authentication requirement to access any repository. I do require SSL for all of the repos.

So in my /etc/httpd/conf.d/subversion.conf:

LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
 
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Subversion server"
AuthLDAPURL "ldap://server.domain.com:389/OU=Users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "CN=ldapuser,CN=Users,DC=domain,DC=com"
AuthLDAPBindPassword MahPassword!
 
require valid-user
 
include conf.d/svn/*.conf

As you can see, from the subversion.conf file I include more .conf files located in the conf.d/svn directory. Each repo has its own conf file. I prefer this method over one large file because it allows me to take a single repo offline easily.

My first repo is a user sandbox area. All users have read/write permissions and maintain their own directories. The only access that is required is a valid AD account.

####################
# Users Repository #
####################
 
# This repo is readable/writable by all employees
 
<Location "/svn/users">
        DAV svn
        SVNPath /svn/repositories/users
	SSLRequireSSL
</Location>

The next is a basic readable to all employees, but write access requires special group membership.

##################
# Project1 repo #
##################
 
# Read 	-	world
# Write	-	SVN_Project1_RW
 
<Location "/svn/project1">
        DAV svn
        SVNPath /svn/repositories/project1
	SSLRequireSSL
 
	# Write access
	<LimitExcept GET PROPFIND OPTIONS REPORT>
                require ldap-group CN=SVN_Project1_RW,OU=Users,DC=domain,DC=com
	</LimitExcept>
 
</Location>

Next is a repository that I want to control both read and write access. Notice that each Limit block controls a specific permission. So to give a group write access, you have to also give them read.

##################
# Project2 repo #
##################
 
# Read 	-	SVN_Project2_RO
# Write	-	SVN_Project2_RW
 
<Location "/svn/Project2">
        DAV svn
        SVNPath /svn/repositories/project2
	SSLRequireSSL
 
	# Read
	<Limit GET PROPFIND OPTIONS REPORT>
                require ldap-group CN=SVN_Project2_RO,OU=Users,DC=domain,DC=com
                require ldap-group CN=SVN_Project2_RW,OU=Users,DC=domain,DC=com
	</Limit>
 
	# Write access
	<LimitExcept GET PROPFIND OPTIONS REPORT>
                require ldap-group CN=SVN_Project2_RW,OU=Users,DC=domain,DC=com
	</LimitExcept>
 
</Location>

line

Leave a Reply

Your email address will not be published. Required fields are marked *