Subversion and LDAP

When I started here, we had 12 SVN repositories (and a valid reason for having all 12). Maintaining the user database was really not doable given that setup as each repository had a distinct user database. I had two goals coming into this – make the management of the user database easier, and make new user setup doable by someone without Linux know-how. To do that I decided to tie things into the AD and make use of that for authentication as well as user setup. Here’s a brief overview of how I made it happen. This assumes a CentOS install but should be easily modified for Debian or other platforms.

  1. Create a connector account in your AD that will be used to query username/password. I granted mine admin rights but you’re probably alright without them, it just needs to query.
  2. Create a user group in the AD that will act as a container for authenticated users and the users than require SVN access into that group
  3. Install Apache, PHP, and the mod_dav and mod_dav_svn modules.
  4. Create your SVN repository (svnadmin create /foo/bar/repo)
  5. On CentOS you should get a subversion.conf file that is already generated for you (not sure on Debian and its ilk) that you’ll need to edit. Here’s a template to use. This assumes your domain name is example.com, the group name you create is “svn,” the connector account is called “SVN CONNECTOR”:
  6. LoadModule dav_svn_module     modules/mod_dav_svn.so
    LoadModule authz_svn_module   modules/mod_authz_svn.so
    
    <VirtualHost *:80>
            DocumentRoot /var/www/html/virtualhosts/svn
            ServerName svn.example.com
            ServerAlias svn
            ErrorLog logs/svn.example.com-error_log
            CustomLog logs/svn.example.com-access_log common
            <Location /repository>
                    DAV svn
                    SVNPath /srv/svn/repository
                    AuthBasicProvider ldap
                    AuthType Basic
                    AuthzLDAPAuthoritative off
                    AuthName "This is your SVN Repository"
                    AuthLDAPURL "ldap://DC.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(&(&(objectClass=user)(objectCategory=person))(memberof=CN=svn,DC=example,DC=com))"
                    AuthLDAPBindDN "CN=SVN CONNECTOR,DC=example,DC=com"
                    AuthLDAPBindPassword "your connector password"
                    Require valid-user
                    Require ldap-group "CN=svn,DC=example,DC=com"
            </Location>

  7. That’s it. Bounce Apache and then test your access to the repository using your domain credentials

You may also like...

Leave a Reply