2012-0224

Subversion and LDAP

Add a Comment[Author: Category: Linux ]

When I started here, we had 12 SVN repositories (and a valid reason for having all 12). Maintaining the user database was really not doable given that setup as each repository had a distinct user database. I had two goals coming into this – make the management of the user database easier, and make new user setup doable by someone without Linux know-how. To do that I decided to tie things into the AD and make use of that for authentication as well as user setup. Here’s a brief overview of how I made it happen. This assumes a CentOS install but should be easily modified for Debian or other platforms.

  1. Create a connector account in your AD that will be used to query username/password. I granted mine admin rights but you’re probably alright without them, it just needs to query.
  2. Create a user group in the AD that will act as a container for authenticated users and the users than require SVN access into that group
  3. Install Apache, PHP, and the mod_dav and mod_dav_svn modules.
  4. Create your SVN repository (svnadmin create /foo/bar/repo)
  5. On CentOS you should get a subversion.conf file that is already generated for you (not sure on Debian and its ilk) that you’ll need to edit. Here’s a template to use. This assumes your domain name is example.com, the group name you create is “svn,” the connector account is called “SVN CONNECTOR”:

    6. LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so

<VirtualHost *:80>
        DocumentRoot /var/www/html/virtualhosts/svn
        ServerName svn.example.com
        ServerAlias svn
        ErrorLog logs/svn.example.com-error_log
        CustomLog logs/svn.example.com-access_log common
        <Location /repository>
                DAV svn
                SVNPath /srv/svn/repository
                AuthBasicProvider ldap
                AuthType Basic
                AuthzLDAPAuthoritative off
                AuthName "This is your SVN Repository"
                AuthLDAPURL "ldap://DC.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(&(&(objectClass=user)(objectCategory=person))(memberof=CN=svn,DC=example,DC=com))"
                AuthLDAPBindDN "CN=SVN CONNECTOR,DC=example,DC=com"
                AuthLDAPBindPassword "your connector password"
                Require valid-user
                Require ldap-group "CN=svn,DC=example,DC=com"
        </Location>

  6. That’s it. Bounce Apache and then test your access to the repository using your domain credentials
Tags: ,
2012-0223

Hey look at that…a post

3 Comments[Author: Category: Linux ]

Wow, the last time I posted anything was in June of last year.
I’ve pretty much dropped LJ at this point. I check in every so often as time permits, but time doesn’t permit much these days. I went ahead and liberated all of my entries from LJ and shifted them over to my personal blog so I suspect if I ever decide to start posting again it’s probably going to be over there.

Instead of content though, I’ll offer up a bit of geekery for you. If you use the built in LJ importer in WordPress it seems to pick and choose what gets set as private or password-protected and what gets set as public. This is of course problematic if you’re like me and keep most of what you post set to friends-only. Once you import your data, connect to your database and run the following query:

UPDATE `main_posts` SET `post_status`='private'

That’s it – you’ll mass set all posts to private and you’ll have luxury of time to go through the old entries and decide what you wish to make public and what you wish to keep private.

Tags: ,

Copyright © All Rights Reserved · Green Hope Theme by Sivan & schiy · Proudly powered by WordPress