Subversion and LDAP
When I started here, we had 12 SVN repositories (and a valid reason for having all 12). Maintaining the user database was really not doable given that setup as each repository had a distinct user database. I had two goals coming into this – make the management of the user database easier, and make new user setup doable by someone without Linux know-how. To do that I decided to tie things into the AD and make use of that for authentication as well as user setup. Here’s a brief overview of how I made it happen. This assumes a CentOS install but should be easily modified for Debian or other platforms.
- Create a connector account in your AD that will be used to query username/password. I granted mine admin rights but you’re probably alright without them, it just needs to query.
- Create a user group in the AD that will act as a container for authenticated users and the users than require SVN access into that group
- Install Apache, PHP, and the mod_dav and mod_dav_svn modules.
- Create your SVN repository (svnadmin create /foo/bar/repo)
- On CentOS you should get a subversion.conf file that is already generated for you (not sure on Debian and its ilk) that you’ll need to edit. Here’s a template to use. This assumes your domain name is example.com, the group name you create is “svn,” the connector account is called “SVN CONNECTOR”:
- That’s it. Bounce Apache and then test your access to the repository using your domain credentials
LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so <VirtualHost *:80> DocumentRoot /var/www/html/virtualhosts/svn ServerName svn.example.com ServerAlias svn ErrorLog logs/svn.example.com-error_log CustomLog logs/svn.example.com-access_log common <Location /repository> DAV svn SVNPath /srv/svn/repository AuthBasicProvider ldap AuthType Basic AuthzLDAPAuthoritative off AuthName "This is your SVN Repository" AuthLDAPURL "ldap://DC.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(&(&(objectClass=user)(objectCategory=person))(memberof=CN=svn,DC=example,DC=com))" AuthLDAPBindDN "CN=SVN CONNECTOR,DC=example,DC=com" AuthLDAPBindPassword "your connector password" Require valid-user Require ldap-group "CN=svn,DC=example,DC=com" </Location>