LDAP Authentication for Subversion on Ubuntu Feisty
I have been busy configuring a new subversion server for HCL. Our environment is 99% Microsoft so there is already an Active Directory structure in place. Subversion is hosted on Ubuntu Feisty (7.04) and I wanted to leverage the AD for authentication into my repository. Luckily, the installation was pretty straight forward.
There are some things to know about our directory. All of the users that will access the repository will get the same read/write permission. All of these users exist in a single OU within the directory. Access to the repository will be allowed over HTTP. I will be using Apache as the web server.
After a simple base install, I only had to install a few additional components. My memory here is a little rusty, so please bear with me…
sudo apt-get install libapache2-svn subversion subversion-tools
This should fetch the subversion components and other dependencies. Confirm yes when asked about the Apache installation.
After the installation is complete, you will need to do some configuration in order to enable the subversion components. First test to make sure the components can load.
# cd /etc/apache2/mods-enabled
# sudo ln -s /etc/apache2/mods-available/dav_svn.load
# sudo /etc/init.d/apache2 restart
If you do not see any errors relating to the start of Apache, the subversion components could be loaded and it is time to configure. If you see some errors, step back and find yourself to Google.
In order to configure the components, we must create a config file. I created mine in the terminal again and opened the document in gedit to edit the contents.
# cd /etc/apache2/mods-enabled
# sudo touch dav_svn.conf
# sudo gedit dav_svn.conf
Here is the contents of the configuration file.
# Must be turned on to make Apache aware that this is a WEBDAV share run be subversion
DAV svn
# Path to my repository location
SVNParentPath /srv/svn/repos
# In addition to setting the AuthType, be sure to configure the provider.
AuthType Basic
AuthBasicProvider ldap
AuthName "HCL Subversion Server"
# LDAP authentication first binds to the directory and searches for the user specified. This
# user is used to bind to the directory and perform the search. Obviously, change the
# DN to a user you have with the correct password.
AuthLDAPBindDN "CN=ldap,OU=Service Accounts,OU=HCL Users,DC=hcl,DC=internal"
AuthLDAPBindPassword ****
# This is the most critical part. This is the URL to the LDAP server specifying the scope
# to search for the user. See the notes below.
AuthLDAPURL "ldap://gallodc01.hcl.internal:3268/OU=IT,OU=HCL Users,DC=hcl,DC=internal?sAMAccountName"
# For some reason this must be set. Anyone have any ideas? If it is not set, the entire
# config does not work. The error logs do not provide much information either.
AuthzLDAPAuthoritative Off
require valid-user
There are a few things I want to bring to your attention as I found they related to Active Directory. All of this is in the AuthLDAPURL parameter. First off, you must identify the server that holds the Global Catalog and specify port 3268. The second part is to make sure that sAMAccountName is set as your user identifier. I am not sure is case matters at this point but having worked with Microsoft products long enough, I am just going to match this up with what I found with ADSI Edit.
ADSI Edit??? Yes, that is what I used to interrogate Active Directory to make sure that I was using the proper field. In other LDAP environments, this would be UID or even CN depending upon the LDAP flavor. I would imagine that you could use the standard mail attribute in which case the username would be the email address. That attribute seems constant among all directories I have seen.
Before you restart Apache one last time, create the repo directories, create a repository, and fix the permissions for web access.
# sudo mkdir -p /srv/svn/repos
# cd /srv/svn/repos
# sudo svnadmin create test
# sudo chown -r www-data:www-data test
# sudo /etc/init.d/apache2 restart
Hopefully you received no errors. Only thing left is to checkout your test project to make sure everything works correctly.
# cd ~
# svn co --username {AD Username} http://localhost/repos/test
Arrgh!!!!
I’ve been having trouble for days now! Everyone insists AuthzLDAPAuthoritative should be On. Idiots.
Thanks, it works beautifully.
I’m glad it worked for you. Thanks for stopping by.
Everyone is facing the problem of integration of apache/Subversion with Active directory. I found the document with complete package and it takes only 5-10 mins to install. You can also use the same and if any problem, Logon to http://forum.opensourcedevelopment.net, It is really very good.
Path is:- http://opensourcedevelopment.net/text-tutorials/apache-subversion-active-directory.html
You sir, are a god. I spent ages failing to fix a similar ldap auth problem last month, and it took me 30 seconds after reading this.
Cheers!
On my Ubuntu 7.04 apache-22.0.55-4ubuntu4 subversion 1.4.3dfsg1-1ubuntu1, these two links needed:
$ sudo ln -s /etc/apache2/mods-available/ldap.load /etc/apache2/mods-enabled/
$ sudo ln -s /etc/apache2/mods-available/authnz_ldap.load /etc/apache2/mods-enabled/
About the require valid-user directive and AuthzLDAPAuthoritative, this was a real pain for me aswell. The documentation (http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html) states that require valid-user “requires that mod_authz_user be loaded and that the AuthzLDAPAuthoritative directive be set to off.” Notice the last part of the last sentence. I’m not sure why that is, but my guess is that Apache needs to authorize the user after he/she has been authenticated through LDAP. Another option is to use require ldap-user which does not require you to set AuthzLDAPAuthoritative to off.
From the mod_authnz_ldap man page:
“Other Require values may also be used which may require loading additional authorization modules. Note that if you use a Require value from another authorization module [eg require valid-user], you will need to ensure that AuthzLDAPAuthoritative is set to off to allow the authorization phase to fall back to the module providing the alternate Require value.”
So if you dont have to set AuthzLDAPAuthoritative! It’s only needed because you use “require valid-user”
Thanks, You help me a lot. All good only to say:
1-the chowm parameter is -R
2-I used another LDAPURL i think this depend on how you make your schema on ldap.
3-you can make your repository where you want, but you have to give permissions to www-data (apache user)
4- Great template design for the blog
5-thanks thanks and more thanks
The only problem I see with all of this is the ldap:// URL Doesn’t that mean that you are sending AD usernames and passwords over the network in plain text? And ldaps:// would be secure (assuming AD is configured properly)?
Just as an FYI:
Instead of creating the module links by hand, you can use a2enmod:
sudo a2enmod dav_svn
will automatically create the appropriate *.load and *.conf links into mods-enabled
a2ensite does the same thing with sites-available, and a2dismod and a2dissite will turn them off.
Scott, great tip! This URL will give you more information regarding these commands.
http://www.debian-administration.org/articles/207