Subversion and LDAP

When I started here, we had 12 SVN repositories (and a valid reason for having all 12). Maintaining the user database was really not doable given that setup as each repository had a distinct user database. I had two goals coming into this – make the management of the user database easier, and make new user setup doable by someone without Linux know-how. To do that I decided to tie things into the AD and make use of that for authentication as well as user setup. Here’s a brief overview of how I made it happen. This assumes a CentOS install but should be easily modified for Debian or other platforms.

  1. Create a connector account in your AD that will be used to query username/password. I granted mine admin rights but you’re probably alright without them, it just needs to query.
  2. Create a user group in the AD that will act as a container for authenticated users and the users than require SVN access into that group
  3. Install Apache, PHP, and the mod_dav and mod_dav_svn modules.
  4. Create your SVN repository (svnadmin create /foo/bar/repo)
  5. On CentOS you should get a subversion.conf file that is already generated for you (not sure on Debian and its ilk) that you’ll need to edit. Here’s a template to use. This assumes your domain name is example.com, the group name you create is “svn,” the connector account is called “SVN CONNECTOR”:
  6. LoadModule dav_svn_module     modules/mod_dav_svn.so
    LoadModule authz_svn_module   modules/mod_authz_svn.so
    
    <VirtualHost *:80>
            DocumentRoot /var/www/html/virtualhosts/svn
            ServerName svn.example.com
            ServerAlias svn
            ErrorLog logs/svn.example.com-error_log
            CustomLog logs/svn.example.com-access_log common
            <Location /repository>
                    DAV svn
                    SVNPath /srv/svn/repository
                    AuthBasicProvider ldap
                    AuthType Basic
                    AuthzLDAPAuthoritative off
                    AuthName "This is your SVN Repository"
                    AuthLDAPURL "ldap://DC.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(&(&(objectClass=user)(objectCategory=person))(memberof=CN=svn,DC=example,DC=com))"
                    AuthLDAPBindDN "CN=SVN CONNECTOR,DC=example,DC=com"
                    AuthLDAPBindPassword "your connector password"
                    Require valid-user
                    Require ldap-group "CN=svn,DC=example,DC=com"
            </Location>

  7. That’s it. Bounce Apache and then test your access to the repository using your domain credentials

Hey look at that…a post

Wow, the last time I posted anything was in June of last year.
I’ve pretty much dropped LJ at this point. I check in every so often as time permits, but time doesn’t permit much these days. I went ahead and liberated all of my entries from LJ and shifted them over to my personal blog so I suspect if I ever decide to start posting again it’s probably going to be over there.

Instead of content though, I’ll offer up a bit of geekery for you. If you use the built in LJ importer in WordPress it seems to pick and choose what gets set as private or password-protected and what gets set as public. This is of course problematic if you’re like me and keep most of what you post set to friends-only. Once you import your data, connect to your database and run the following query:

UPDATE `main_posts` SET `post_status`='private'

That’s it – you’ll mass set all posts to private and you’ll have luxury of time to go through the old entries and decide what you wish to make public and what you wish to keep private.

Copyright © All Rights Reserved · Green Hope Theme by Sivan & schiy · Proudly powered by WordPress