joi, 16 aprilie 2009

Configuring subversion + apache2 + ldap

In this post, I describe how I can create subversion repositories authentication using mod_dav_svn and ldap. I suppose we have a virtual path created for out repo: /svn/repos/repo_virtual

We need to have the following structure for ldap nodes:

dc=example,dc=com
ou=Groups,dc=example,dc=com
cn=group_svn_repo,ou=Groups,dc=example,dc=com
ou=Users,dc=example,dc=com
cn=user1,ou=Users,dc=example,dc=com
cn=user2,ou=Users,dc=example,dc=com


Normally the below mentioned structure is enough for configuring apache. In short, we authenticate users on Users node. After that, we check that the user belongs to a specified group. We also need to configure a virtual host for apache(this is the most common scenario used) .

ServerName svn1.example.com
ServerAdmin rcosnita@example.com
ErrorLog /var/log/apache2/error_svn.log
CustomLog /var/log/apache2/access_svn.log combined


DAV svn
SVNPath /svn/repos/repo_virtual/
SVNListParentPath on

AuthBasicProvider ldap

AuthType Basic
AuthName "Example server"
AuthzLDAPAuthoritative off

AuthLDAPURL ldap://svn1.example.com:389/OU=Users,DC=informatix,DC=ro?cn?sub
AuthLDAPBindDN CN=root,DC=example,DC=com
AuthLDAPBindPassword parolamea

AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on

Require group cn=group_svn_repo,ou=Groups,dc=informatix,dc=ro


This should do the trick. After you finish configuring the vhost you need to restart apache web server.

It's important to keep in mind that apache webserver cache the connection with ldap server(after first connection). This mean that every entry you add after apache make its first connection won't be "seen" by apache till the next restart(of apache or ldap server).

I don't really know why the solution from this post didn't work with apache + openldap. So if you use openldap you have to cheat a little. You add an attribute to every user from ldap existing schema in which we mention the ldap group. In my case, I have used labeledURI. When I finished adding the above mentioned attribute, I have modified the vhost as:

"Require group cn=group_svn_repo,ou=Groups,dc=informatix,dc=ro"
is replaced by
"Require ldap-attribute labeledURI=cn=group_svn_repo,ou=Groups,dc=informatix,dc=ro".


After this, everything worked just fine.
Publicat de la

Niciun comentariu:

Trimiteți un comentariu

Abonați-vă la: Postare comentarii (Atom)