You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Leo Donahue - RDSA IT <Le...@mail.maricopa.gov> on 2013/09/27 20:52:08 UTC

[users@httpd] some questions on configuring SSL and LDAP

Would someone be willing to nitpick this configuration?

The goal is setting up a self-signed certificate and enabling SSL and LDAP authentication for a subversion repository.
This configuration is located in subversion.conf
The version of Apache httpd in this subversion product is:  2.2.25

This configuration is working, but I was hoping someone might spot something I've missed or perhaps suggest some best practices?


# VirtualHost is set to: 8443 for SSL
<VirtualHost *:8443>
KeepAlive On

# This directive toggles the usage of the SSL/TLS Protocol Engine. This should be used inside a <VirtualHost> section to enable SSL/TLS for a that virtual host.
SSLEngine On
SSLCertificateFile "C:\Program Files (x86)\Subversion\Apache2\ssl\apache.crt"
SSLCertificateKeyFile "C:\Program Files (x86)\Subversion\Apache2\ssl\apache.key"

# The <Location> directive limits the scope of the enclosed directives by URL, in this case the URL of /svn
<Location /svn>

  DAV svn
  SVNParentPath "C:\repositories"

 # Let the users browse the parent path /svn
  SVNListParentPath on

  # SVNParentPath and authz fix http://subversion.tigris.org/issues/show_bug.cgi?id=2753
  RedirectMatch ^(/svn)$ $1/

  # Authentication: LDAP
  Order deny,allow
  Deny from All
  AuthName "my auth name"
  AuthType Basic
  AuthBasicProvider ldap

  # AuthzLDAPAuthoritative must be explicitly set because the default setting is "on" and authentication attempts for valid-user will fail otherwise.
  AuthzLDAPAuthoritative off

  # Note: We are only looking for users that belong to a certain OU of yadda1
  AuthLDAPURL "ldap://servername.domain:389/OU=yadda1,OU=yadda,DC=domain,DC=organization,DC=gov?sAMAccountName?sub?(objectClass=*)"
  AuthLDAPBindDN "CN=AD Query Account,OU=Service Accounts,OU=dept,DC=domain,DC=organization,DC=gov"
  AuthLDAPBindPassword bind_password

  # If AuthzLDAPAuthoritative was set to 'on', then you can list required users in the following directive
  #Require user "me" "someotheruser"

  # Grants access to any user that has successfully authenticated during the search/bind phase
  Require valid-user

  # Allows the request if any requirement is met (authentication OR access), can use 'all' to force both requirements
  Satisfy any

  # Authorization: Path-based access control; authenticated users can access paths for read/write specfied in this file.
  AuthzSVNAccessFile "C:\svn_passwd\svn-auth.authz"

  SVNAutoversioning on
</Location>

# Enable Subversion logging
CustomLog logs/subversion.log combined

</VirtualHost>


Leo