You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Daniel F Garcia <dg...@kobold.com.au> on 2004/04/30 04:52:33 UTC

Active Directory authentication for Subversion

I'm trying to setup active directory authentication, but am not having any
luck. This is what I have done do far.

Setup a link from /etc/apache2/mods-available/auth_ldap.load to
/etc/apache2/mods-enabled/auth_ldap.load
Edited /etc/apache2/sites-enabled/svn with the following details

NameVirtualHost svn.kobold.local:80
<VirtualHost svn.kobold.local:80>
        ServerAdmin webmaster@localhost
        <IfModule mod_dav_svn.c>
        <Location / >
          DAV svn
          SVNPath /var/lib/svn
          AuthLDAPAuthoritative on
          AuthType Basic
          AuthName "Subversion Repository"
          LDAP_Server 10.2.2.1
          LDAP_Port 389
          Bind_DN cn=XXXXXXXXX,cn=Users,dc=kobold,dc=local
          Bind_Pass XXXXXXXXX
          Base_DN "OU=Staff,DC=kobold,DC=local"
          Require valid-user
          UID_Attr cn
          #AuthUserFile /etc/apache2/dav_svn.passwd
          SVNIndexXSLT "/Group/Business%20Support/IT/Subversion/svn.xsl"
        </Location>
        </IfModule>
        ErrorLog /var/log/apache2/svnerror.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/svnaccess.log combined
        ServerSignature On
</VirtualHost>


I then did an /etc/init.d/apache2 restart and it complained about the
LDAP_Server line. I double check the documentation and LDAP_Server is the
right setting name.

Also, is there a way for read-only access to be available to everyone (ie
don't prompt for a password), but commit and other repository modifications
requiring authentication ?
 
 
Daniel F Garcia
Project manager

Mobile: 0438 670 947
Phone: 07 5461 1120
Email: dgarcia@kobold.com.au
Address: 4 Lloyd George Street, Eastern Heights QLD 4305


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Active Directory authentication for Subversion

Posted by Chris Jensen <cj...@edex.com.au>.

Daniel F Garcia wrote:
 > I'm trying to setup active directory authentication, but am not 
having any
 > luck. This is what I have done do far.

I never had any luck with LDAP against Active Directory either.
I ended up going with mod_auth_external, had it talk to PAM which in 
turn uses Samba to auth against Active Directory - works fine, and was 
much easier to setup that LDAP.

-- 
---------------------------------------------------------------------
Chris Jensen cjensen@edex.com.au

Educational Experience (Australia)
Postal Address: PO Box 860, Newcastle NSW 2300
Freecall:       1-800-025 270      International: +61-2-4923 8222
Fax:            (02) 4942 1991     International: +61-2-4942 1991

Visit our online Toy store! http://www.toysandmore.com.au/
---------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Active Directory authentication for Subversion

Posted by Dominic Anello <da...@danky.com>.

On 2004-05-01 14:30:17 +1000, Daniel F Garcia wrote:
> Thank you, thank you this worked really well. Also I replace your
> Limitexcept block with
> 
>     <LimitExcept GET>
>         Require valid-user
>     </LimitExcept>
> 
> And now web browsing doesn't require authentication, but everything else
> does.
----8<----

Glad it worked.  <LimitExcept MERGE> is required if you have something
like this in your AuthzSVN config file:
-------------------------
[/]
fred = r

[/foo]
fred = rw

[/bar]
fred = rw
-------------------------

Then if user fred tries to do something like:
$ svn cp http://server/svn/foo/baz http://server/svn/bar/baz -m "test"

He will get access denied by authz because svn sends a MERGE to the
common parent of /foo and /bar.  The <LimitExcept> prevents MERGE
requests from being checked.  I don't know if it has any security side
effects, but my repo is on an intranet anyway, so I'm not too concerned
about users hand-crafting malicious MERGE requests.

--
Current soundtrack: 'Kimya Dawson - My Cute Friend Sweet Princess - 6 -
The Beer'

RE: Active Directory authentication for Subversion

Posted by Daniel F Garcia <dg...@kobold.com.au>.

Thank you, thank you this worked really well. Also I replace your
Limitexcept block with

    <LimitExcept GET>
        Require valid-user
    </LimitExcept>

And now web browsing doesn't require authentication, but everything else
does.

Daniel.

-----Original Message-----
From: Dominic Anello [mailto:danello@danky.com] 
Sent: Saturday, 1 May 2004 1:53 PM
To: users@subversion.tigris.org
Subject: Re: Active Directory authentication for Subversion

On 2004-04-30 14:52:33 +1000, Daniel F Garcia wrote:
> I'm trying to setup active directory authentication, but am not having 
> any luck. This is what I have done do far.
----8<--- 

Hi - just implemented this.  Assuming you have mod_auth_ldap installed the
following should work:

<Location /ec-svn>
    DAV svn
    SVNPath "/usr/local/svn/ec-svn/repo"
    AuthzSVNAccessFile "/usr/local/svn/ec-svn/auth/access.ini"

    AuthLDAPURL
ldap://hoth/CN=Users,DC=isolution,DC=idx,DC=com?sAMAccountName?sub?(objectCl
ass=user)
    AuthLDAPBindDN "ISOLUTION\danello"
    AuthLDAPBindPassword XXXXXXXX
    AuthType Basic
    AuthName "eCommerce SVN repository"

    <LimitExcept MERGE>
        Require valid-user
    </LimitExcept>
</Location>

Where hoth is the AD server, ISOLUTION is the Windows domain and idx.com is
the internet domain.

I'm not an LDAP guru, I just Googled for LDAP Apache Active Directory and
adopted the info found at the page below for my own use.
http://www.wlug.org.nz/ActiveDirectoryAuthenticationNotes

Good luck!

--
Current soundtrack: 'Kinnie Star - Tidy - 02 - Ophelia'

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Active Directory authentication for Subversion

Posted by Dominic Anello <da...@danky.com>.

On 2004-04-30 14:52:33 +1000, Daniel F Garcia wrote:
> I'm trying to setup active directory authentication, but am not having any
> luck. This is what I have done do far.
----8<--- 

Hi - just implemented this.  Assuming you have mod_auth_ldap installed
the following should work:

<Location /ec-svn>
    DAV svn
    SVNPath "/usr/local/svn/ec-svn/repo"
    AuthzSVNAccessFile "/usr/local/svn/ec-svn/auth/access.ini"

    AuthLDAPURL ldap://hoth/CN=Users,DC=isolution,DC=idx,DC=com?sAMAccountName?sub?(objectClass=user)
    AuthLDAPBindDN "ISOLUTION\danello"
    AuthLDAPBindPassword XXXXXXXX
    AuthType Basic
    AuthName "eCommerce SVN repository"

    <LimitExcept MERGE>
        Require valid-user
    </LimitExcept>
</Location>

Where hoth is the AD server, ISOLUTION is the Windows domain and idx.com
is the internet domain.

I'm not an LDAP guru, I just Googled for LDAP Apache Active Directory
and adopted the info found at the page below for my own use.
http://www.wlug.org.nz/ActiveDirectoryAuthenticationNotes

Good luck!

-- 
Current soundtrack: 'Kinnie Star - Tidy - 02 - Ophelia'