You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Tim Liu <ti...@gmail.com> on 2006/11/03 02:26:32 UTC

Apache 2.0.59, SVN 1.4 and LDAP

Folks,

Can somebody share me a  working copy of Location setion in httpd.conf for
LDAP? Appreciate it a lot.

I am trying to use LDAP server to authenticate access to SVN. I have
searched email here and try them and no Luck.

Setup
====
Apache 2.0.59
SVN 1.4

The working part without ldap is
# Subversion
<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath D:\svnrepos
AuthType Basic
AuthName "Subversion repositories"
AuthUserFile passwd
#AuthzSVNAccessFile svnaccessfile
Require valid-user
</Location>

How to change it for LDAP?

thx

Tim

Re: Apache 2.0.59, SVN 1.4 and LDAP

Posted by Greg Thomas <th...@omc.bt.co.uk>.

On Thu, 2 Nov 2006 18:26:32 -0800, "Tim Liu" <ti...@gmail.com>
wrote:

>Can somebody share me a  working copy of Location setion in httpd.conf for
>LDAP? Appreciate it a lot.

<Location /svn>
  DAV svn  
  SVNPath /wherever/svn-repos

  # Which users can access the repository?
  AuthzSVNAccessFile /wherever/svn-config/access-file

  Require valid-user

  # how to get a username/password from the browser
  AuthType Basic
  AuthName "Subversion repository"

  # How to verify that it's the right password for that user.
  AuthLDAPUrl ldap://ldapserver:389/OU=etc.etc.
  AuthLDAPBindDN CN=etc.etc.
  AuthLDAPBindPassword changeMe
</Location>
               
HTH,

Greg
-- 
This post represents the views of the author and does
not necessarily accurately represent the views of BT.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

RE: Apache 2.0.59, SVN 1.4 and LDAP

Posted by Mark Kempster <ma...@kempster.org>.

Damian -

> I should also point out that the configuration shown will allow any
> authenticated user to browse the repository but only allow members of
> the DeveloperStaff group to commit changes.
>
>    <Location /svn>
.. snip ..
>            Require group CN=DeveloperStaff,OU=MyOu,DC=MyDomain,DC=com
>        </LimitExcept>
>    </Location>


Thanks a ton for including this little snippet in your email.
You timing's impeccable (as in, I'll use this within 24 hours!).
You rock.

What a great list - so few places can you learn so much from a
statement that starts "I should also point out".

Cheers
- Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

RE: Apache 2.0.59, SVN 1.4 and LDAP

Posted by "Powell, Damian" <da...@davislangdon.com>.

The example below does the trick for me. However, if you're running
Apache on Windows (like me), you'll notice that mod_auth_ldap is rather
flakey and frequently crashes when it's unbinding form the LDAP server.

Also, the conversation between Apache and the LDAP server is not
encrypted so if your LDAP server is also your Active Directory server,
then your Active Directory password will be going over the network in
the clear. To make things worse, your password could be going over the
network in the clear twice: once between your Subversion client and
Apache, and again between Apache and your LDAP server.

There is also a potential gotcha with the LDAP URL. If you *are* using
LDAP to access Active Directory, then you need to specify at least one
OU as well as the DC components. If you want to search from the root of
the Active Directory domain, you'll have to specify port 3268 in the
LDAP URL (like this:
"ldap://MyAdServer:3268/DC=MyDomain,DC=com?sAMAccountName") rather than
the URL in the example.

I should also point out that the configuration shown will allow any
authenticated user to browse the repository but only allow members of
the DeveloperStaff group to commit changes.

Don't let me put you off though! :)

While I'm on the subject: does anybody have a Windows build of
Subversion 1.4 that is built against Apache 2.2?

   <Location /svn>
       # Subversion configuration
       DAV svn
       SVNParentPath C:/Repositories/Subversion
       # Authentication
       AuthType Basic
       AuthName "Subversion Repository"
       AuthLDAPUrl
"ldap://MyAdServer/OU=MyOu,DC=MyDomain,DC=com?sAMAccountName"
       AuthLDAPBindDN "mydomain\adviewerusername"
       AuthLDAPBindPassword "adviewerpassword"
       # Authorization
       <Limit GET PROPFIND OPTIONS REPORT>
           Require valid-user
       </Limit>
       <LimitExcept GET PROPFIND OPTIONS REPORT>
           Require group CN=DeveloperStaff,OU=MyOu,DC=MyDomain,DC=com
       </LimitExcept>
   </Location>



PS: Apologies for this long signature:




**********************************************************************
	PRIVACY AND CONFIDENTIALITY NOTICE

This email, and any files transmitted with it, is strictly 
confidential and intended solely for the person or organisation to 
whom it is addressed. If it comes to the attention of any other 
unauthorised person, no action may be taken on it nor should it be 
copied or shown to any third party.

If you have received this email in error please return it
to postmaster@davislangdon.com

This email message has been swept for the presence of computer viruses.
**********************************************************************



<font face="Arial, Helvetica" style="font-size:7.6pt" color="black">Project Management | Cost Management | Management Consulting | Legal Support | Specification Consulting | Engineering Services | Property Tax &amp; Finance<br clear="all">&nbsp;</font><br><font face="Arial, Helvetica" style="font-size:7pt;" color="#808285">Davis Langdon LLP is a limited liability partnership registered in England and Wales with registered number OC306911. A list of members' names is available for inspection at MidCity Place, 71 High Holborn, London WC1V 6QS, the firm's principal place of business and registered office.<br><br>Davis Langdon LLP is a member firm of Davis Langdon &amp; Seah International, with offices in: England, Scotland, Wales, Ireland, France, Spain, Poland, Lebanon, Bahrain, UAE, Qatar, Saudi Arabia, Egypt, Brunei, China, Hong Kong, India, Indonesia, Korea, Malaysia, Philippines, Singapore, Thailand, Vietnam, Australia, New Zealand, South Africa, Botswana and the USA</font><br><br><hr><font face="Arial, Helvetica" style="font-size:7pt" color="black">PRIVACY AND CONFIDENTIALITY NOTICE<br><br>This email, and any files transmitted with it, is strictly confidential and intended solely for the person or organisation to whom it is addressed. If it comes to the attention of any other unauthorised person, no action may be taken on it nor should it be copied or shown to any third party. This email message has been swept for the presence of computer viruses.<br><br>If you have received this email in error please return it to <a href="mailto:postmaster@davislangdon.com">postmaster@davislangdon.com</a><hr></font>


_____________________________________________________________________
This e-mail has been scanned for viruses by Verizon Business Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org