Subversion with Apache and LDAP: Updated

My previous blog
entry discussing Subversion, Apache and LDAP is nearing two years old.
It was written when Apache 2.0.x was still the mainstream and when Apache
2.2.x was released, changes in the LDAP modules and their respective
configuration directives has left my previous entry very confusing for
those wanting to use Apache 2.2.x. The purpose of the Definitive
Guide
is to provide a single location for questions for Apache
2.0.x and 2.2.x, while also providing more depth about things to consider
when building your Apache-based Subversion server using LDAP for
authentication.

The Configuration

For those of you that just want to get to the point, where you can copy
and paste and move on, here you go:

Example Apache 2.2.x Configuration Snippet

# Load Apache LDAP modules
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
# Load Subversion Apache Modules
LoadModule dav_svn_module     modules/mod_dav_svn.so # Use full path to SUBVERSION_HOME/bin/mod_dav_svn.so on Windows
LoadModule authz_svn_module   modules/mod_authz_svn.so # Use full path to SUBVERSION_HOME/bin/mod_authz_svn.so on Windows
# Work around authz and SVNListParentPath issue
RedirectMatch ^(/repos)$ $1/
# Enable Subversion logging
CustomLog logs/svn_logfile "%t %u %{SVN-ACTION}e" env=SVN-ACTION
<Location /repos/>
# Enable Subversion
DAV svn
# Directory containing all repository for this path
SVNParentPath /subversion/svn-repos
# List repositories colleciton
SVNListParentPath On
# Enable WebDAV automatic versioning
SVNAutoversioning On
# Repository Display Name
SVNReposName "Your Subversion Repository"
# Do basic password authentication in the clear
AuthType Basic
# The name of the protected area or "realm"
AuthName "Your Subversion Repository"
# Make LDAP the authentication mechanism
AuthBasicProvider ldap
# Make LDAP authentication is final
AuthzLDAPAuthoritative on
# Active Directory requires an authenticating DN to access records
AuthLDAPBindDN "CN=ldapuser,CN=Users,DC=your,DC=domain"
# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword ldappassword
# The LDAP query URL
AuthLDAPURL "ldap://your.domain:389/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"
# Require a valid user
Require valid-user
# Authorization file
AuthzSVNAccessFile /subversion/apache2/auth/repos.acl
</Location>

Example Apache 2.0.x Configuration Snippet

# Load Apache LDAP modules
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
# Load Subversion Apache Modules
LoadModule dav_svn_module     modules/mod_dav_svn.so # Use full path to SUBVERSION_HOME/bin/mod_dav_svn.so on Windows
LoadModule authz_svn_module   modules/mod_authz_svn.so # Use full path to SUBVERSION_HOME/bin/mod_authz_svn.so on Windows
# Work around authz and SVNListParentPath issue
RedirectMatch ^(/repos)$ $1/
# Enable Subversion logging
CustomLog logs/svn_logfile "%t %u %{SVN-ACTION}e" env=SVN-ACTION
<Location /repos/>
# Enable Subversion
DAV svn
# Directory containing all repository for this path
SVNParentPath /subversion/svn-repos
# List repositories colleciton
SVNListParentPath On
# Enable WebDAV automatic versioning
SVNAutoversioning On
# Repository Display Name
SVNReposName "Your Subversion Repository"
# LDAP Authentication is final
AuthLDAPAuthoritative on
# Do basic password authentication in the clear
AuthType Basic
# The name of the protected area or "realm"
AuthName "Your Subversion Repository"
# Active Directory requires an authenticating DN to access records
AuthLDAPBindDN "CN=ldapuser,CN=Users,DC=your,DC=domain"
# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword ldappassword
# The LDAP query URL
AuthLDAPURL "ldap://your.domain:389/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"
# Require authentication
Require valid-user
# Authorization file
AuthzSVNAccessFile /subversion/apache2/auth/repos.acl
</Location>

(The configurations above were for pointing to an Active Directory (AD)
server.

Understanding the Configuration

So…the above Apache configurations are what I personally use when
building an Apache-based server. Obviously there are changes that need
to be made depending on the environment in but for now, it’s a great
start. To make the best of this opportunity, let’s talk about the
miscellaneous parts of the configuration.

SVNListParentPath and Subversion’s authz

One of the first problems people run into when building an Apache-based
Subversion server is when they want to have mod_dav_svn serve a list of
repositories. Everything works fine until they enable Subversion’s
authorization (authz) support. What happens is the server will be
configured properly and secured properly but when you go to the
repository collection list, which in our case is http://localhost/repos,
you are forbidden to view the collection even if you have access. Well,
with the RedirectMatch closer to the top of the
configuration, you fix this issue. How you might be asking and the
reason is that when you enable authz, you must have a trailing slash
at the end of the collection url. With the RedirectMatch, we
automatically redirect urls to the collection listing when there is no
trailing slash. Problem solved.

Custom Subversion Logging

Subversion uses Apache’s WebDAV support for providing access to its
repositories when using Apache. Unfortunately, when you look at Apache’s
access logs to try and see your Subversion usage, you end up with a lot
of WebDAV communication being logged and you only see a portion of the
actual client/server communication. This is because mod_dav_svn uses
Apache subrequests and Apache does not log subrequests. Even if it did,
turning the Subversion communication in the Apache access log into
something meaningful would be nearly impossible. That being said,
the configuration above has been setup to use one of Subversion’s
features: Apache Logging which
takes the guess work out.

Subversion Configuration

The other Subversion-specific parts of the Apache configuration are
pretty self-explanitory. To summarize what is enabled with the above:

  • SVNListParentPath: Enables the ability to browse the location root and
    get a list of repositories being served by that url base
  • SVNAutoversioning: Enables the use of WebDAV clients to make changes
    to the repository contents without using a Subversion client
  • SVNParentPath: Enables serving N number of repositories for the
    url base
  • SVNReposName: Enables you to put in your own text to be visible in
    the web browser when browsing your repository contents via the
    built-in repository browser provided by mod_dav_svn
  • AuthzSVNAccessFile: Tells Subversion’s mod_authz_svn module where
    to find the authz file.

For more details about the Subversion-specific Apache directives, and
a list of even more ways you can configure your Apache-based Subversion
server, view the mod_dav_svn
and the mod_authz_svn
documentation.

LDAP Configuration

The LDAP portion of the Apache configuration is where most people run
into problems. That being said, we’ll spend a little more time
explaining the Apache LDAP configuration. The most important thing to
note is the subtle differences between Apache 2.0.x and Apache 2.2.x:

Apache 2.0.x           | Apache 2.2.x
-----------------------------------------------
AuthLDAPAuthoritative  | AuthzLDAPAuthoritative
AuthLDAPBindDN         | AuthLDAPBindDN
AuthLDAPBindPassword   | AuthLDAPBindPassword
AuthLDAPURL            | AuthLDAPURL
| AuthBasicProvider

You should note that the Apache LDAP module names have also changed
between Apache 2.0.x and 2.2.x. Now that we see the naming changes,
let’s talk about how to properly use these Apache directives to get
the LDAP-based authentication you’re looking for. (I will be
using the Apache 2.2.x names for the Apache directives. If you’re
still using Apache 2.0.x, please refer to the table above for how to
take my documentation and apply it to Apache 2.0.x.)

  • AuthzLDAPAuthoritative: Tells Apache whether or not a failed
    authentication request can be passed to other Apache modules
  • AuthLDAPBindDN: The distinguished name of the user account that
    Apache will use to connect to the directory system to perform its
    user authentication
  • AuthLDAPBindPassword: The password for the user account configured
    via the AuthLDAPBindDN directive
  • AuthLDAPURL: This is a url that tells where the directory server
    is, where to look for users at, what user attribute is used to
    identify a user and other miscellaneous things specific to the
    LDAP query syntax (More on this later.)
  • AuthBasicProvider: This tells Apache which authentication module
    you want to use for Basic authentication

All of the directives above are pretty straight forward except for
the AuthLDAPURL directive. This directive we will
discuss in more detail below. For any other Apache configuration
questions, please resort to the
Apache Documentation
for your respective Apache version.

The LDAP Query URL

For most, the AuthLDAPURL directive is the most
challenging to understand. There is good reason for this. That
one directive actually consists of 6+ pieces of information that
will be different for each Subversion server. Let’s break our
example AuthLDAPURL into its pieces and discuss
the importance, and nuances, of each.

For simplicity, here is the url again, in its entirety:
ldap://your.domain:389/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)

  • Url scheme: [ldap] This is nothing more than a url scheme.
    It will usually be either ‘ldap’ or ‘ldaps’ in the event that
    you’re using SSL for accessing your directory server.
  • Hostname: [your.domain] This is the ip address or hostname
    of your directory server.
  • Port: [389] This is the port the server is listening on for
    directory server communication.
  • Search Base: [DC=your,DC=domain] This is the distinguished name
    to the path in the directory tree that you want to search
    for users.
  • Username attribute: [sAMAccountName] This is the attribute
    contains the login name being used.
  • Query scope: [sub] This tells the directory server what type
    of query to perform.
  • Filter: [(objectClass=*)] This tells the directory server to
    filter the query for objects matching a particular filter

For more details on constructing an ldap url, which is a standard
and not specific to Apache, view RFC 2255.

Working with Active Directory

Active Directory is known as a Multi-Master Directory
System
. This being said, each directory server in AD
does not always have all the necessary information to perform all
directory server requests. The best way to handle this is to have
Apache query a Global Catalog. A Global Catalog
server has the ability to search at the whole forest for users.
This means if you want to do domain-wide searches or larger, you
need to point to a Global Catalog and you need to update your
Apache configuration accordingly. When using a Global Catalog,
you should be using port 3268 when performing your queries.

Searching for Users

In the example url above, the sAMAccountName
attribute is used to identify the username. This attribute is
Windows/Active Directory specific so for those of you using
OpenLDAP or another option, that attribute probably will not exist.
Change your attribute accordingly. An example is if you wanted to
use the Common Name to login, you could specify
“CN” as the attribute.

LDAP Query Tuning

The last thing we will talk about is the ability to use filters to
make your LDAP query a little more specific. In the example url above
we used “(objectClass=*)”, which will search for all objects. If you
know that you only want to search for a particular object type, like
the “user” type, you could use “(objectClass=user)” instead.

Conclusion

Building an Apache-based Subversion server with LDAP as the
authentication mechanism can be daunting for some. I hope this
has made things easier for you.

Posted in Subversion
91 comments on “Subversion with Apache and LDAP: Updated
  1. Troels Arvin says:

    Is there a way to refer to LDAP groups in an AuthzSVNAccessFile? – So that groups don’t have to be defined in an SVN access control list?

  2. Troels,
    It just so happens there is but it requires using a third-party script, ironically written by me: http://www.thoughtspark.org/node/26. Let me know how it works out for you.
    Take care,
    Jeremy

  3. Julie says:

    Thanks for this information! It’s extremely useful.

  4. Aaron,
    Actually, I’ve left restricting groups out for another reason. The problem with your approach is that it is blanket restriction, meaning you either have access or you don’t based on your group. I have a solution that lets you use LDAP-defined groups in your Subversion authz file which is much, much more granular and flexible. I know for some blanket-level authorization is enough but not for most, which is why I didn’t mention it. I guess if you’re interested in learning about he solution I speak of, feel free to read the following: http://www.thoughtspark.org/node/26
    Take care,
    Jeremy

  5. Fabio Canepa says:

    Does the collabnet subversion package for rhel 5 contains mod_ldap and mod_authnz_ldap modules ?
    Or should I compile these modules from sources ?
    Thanx for you guide.

    Fabio

  6. Fabio,
    From my understanding, they are compiled into the httpd binary. They are available.
    Take care,
    Jeremy

  7. Jason Chaffee says:

    Hi Jeremy,
    Is there a way to use an encrypted ldap password? It seems a little unsafe to have the ldap password in plain text.
    regards,
    Jason

  8. Jason,
    Not that I’m aware. While I can somewhat agree, if you think about it, a server should be locked down anyways. That means that only trusted individuals would have access to the filesystem and its contents, like the Apache configuration file. The suggested thing to do in a case like this is to create a “service” account and lock that account down accordingly. Then, even if someone were to maliciously use the credentials, they’d only have access to a very little piece of information.
    Take care,
    Jeremy

  9. Eric Steinberg says:

    I’m having an issue, can’t get Apache Service to start when I use the above (top) config for Apache 2.2. Could this be due to incorrect LDAP settings or is there somewhere else I should be looking? I Can’t find any clear info in the event logs. I’m a novice with Apache and LDAP but it would help if I knew where I should be looking. Does anyone know if Apache will start ok even if the LDAP configs are wrong (incorrect server or CN, etc.)
    When I start Apache 2.2 with a basic httpd.conf it starts up fine:
    Location /svn>
    DAV svn
    SVNParentPath C:repositories
    SVNListParentPath On
    Require valid-user
    AuthType Basic
    AuthName “Subversion repository”
    AuthUserFile C:repositoriespassword-file
    /Location>
    Thanks,

  10. Eric Steinberg says:

    Also, is the AuthzSVNAccessFile required? If so, is it configured using htpasswd? I thought the reason to use LDAP is to get away from an access file?
    Here is the LDAP config that will not allow my Apache 2.2 server to start. I’m wondering if I have AuthLDAPURL configured correctly as this is all internal on my network so I’m referencing the server name:
    Location /svn>
    # Enable Subversion
    DAV svn
    # Directory containing all repository for this path
    SVNParentPath C:repositories
    # List repositories colleciton
    SVNListParentPath On
    # Enable WebDAV automatic versioning
    SVNAutoversioning On
    # Repository Display Name
    SVNReposName “Subversion Repository”
    # Do basic password authentication in the clear
    AuthType Basic
    # The name of the protected area or “realm”
    AuthName “Subversion Repository”
    # Make LDAP the authentication mechanism
    AuthBasicProvider ldap
    # Make LDAP authentication is final
    AuthzLDAPAuthoritative on
    # Active Directory requires an authenticating DN to access records
    AuthLDAPBindDN “CN=TESTUSER,CN=Users,DC=MY,DC=DOMAIN”
    # This is the password for the AuthLDAPBindDN user in Active Directory
    AuthLDAPBindPassword TESTPASSWORD
    # The LDAP query URL
    AuthLDAPURL “ldap://SERVERNAME.my.domain:389/DC=my,DC=domain?sAMAccountName?sub?(objectClass=*)”
    # Require a valid user
    Require valid-user
    # Authorization file
    AuthzSVNAccessFile c:repositoriespassword-file
    /LOCATION>

  11. Eric,
    Well, the first place to start would be by looking at the Apache error logs. If Apache doesn’t start, there is a good chance that it would be in there. If there is nothing in there, you might need to start Apache from the command line to see why it’s failing. Sometimes, if the failure is early enough in the startup process, standard out/error is used to relay problems.
    As for Apache starting if the LDAP configs are wrong, Apache would still start. It does not validate the actual contents of the LDAP settings. If it’s failing to startup, it’s probably a syntax problem, unloaded module, failure to load a module or something like that.
    Finally, the AuthzSVNAccessFile is used for Subversion’s path-based authorization. It has nothing to do with LDAP. LDAP is for authentication while authorization is done using the “authz” mechanism provided by Subversion.
    In the end, you need to figure out the cause of the failure. Apache error logs and/or standard out/error would be where to look. Good luck.
    Take care,
    Jeremy

  12. rok says:

    hi ,i have a problem that if i want to use two url in the AuthURL,is’t possibile?

  13. rok says:

    hi ,
    I write this is to ask a problem which i have googled but without a result.
    My problem is : if i want to authorize a group to have the permission to access an application:subversion, i can use the command below in an auth.conf (saved in folder /etc/httpd/conf.d):
    #######
    AuthLDAPURL “ldap://localhost/ou=develop,dc=company,dc=com?cn”
    require valid-user
    #######
    and i test it ,the user belong to ou=develop can access subversion .
    now i want to give the group testing the same permission as develop.
    ######
    AuthLDAPURL “ldap://localhost/ou=develop,dc=company,dc=com?cn”
    AuthLDAPURL “ldap://localhost/ou=testing,dc=company,dc=com?cn”
    require valid-user
    ######
    and this doesnot work,only user of develop can access subversion.
    then i change it as below :
    ######
    AuthLDAPURL (|(“ldap://localhost/ou=develop,dc=company,dc=com?cn”)(“ldap://localhost/ou=testing,dc=company,dc=com?cn”))
    require valid-user
    ######
    when restart apache ,there is the failed message:
    ———————————————————————————-
    Starting httpd: Syntax error on line 44 of /etc/httpd/conf.d/application_auth.conf:
    The scheme was not recognised as a valid LDAP URL scheme.
    ———————————————————————————-
    can you tell me how to write two dns in a url ? or other methods to make a couple of groups authorize to a same application?
    thank you very much,and any help is appreciative.

  14. rok,
    Well, you’re using the wrong syntax for specifying redundant LDAP servers. The Apache documentation says that you use one AuthLDAPUrl directive and in its value, you separate the redundant LDAP servers with a space. Here is the direct link: http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl Apache’s documentation is very in depth and should be consulted anytime you’re working with Apache.
    Take care,
    Jeremy

  15. If any of you downloaded the sync_ldap_groups_to_svn_authz-*.tar.gz from http://www.thoughtspark.org/node/26 before this comment’s post date, you need to update your installation. There was a bug found in versions prior to 1.0.2 that broke the support for nested groups. Please redownload the latest sync_ldap_groups_to_svn_authz-*.tar.gz, which is version 1.0.2 right now.

  16. rok says:

    hi Jeremy,
    i havenot download the sync_ldap_groups_to_svn_authz-*.tar.gz before ,maybe i should try it .i ever thought it’s no necessary to install it because my goal is just make users in two groups which in my LDAP server could access subvertion or another directory in Apahce’s RootDocument.just access it but not read write or other permissions.
    however,i will try it ,and thank you for the helpful advice ,i really should read the Apache’s documentation with more care.

  17. rok says:

    additional remarks,the two groups are in one LDAP Server ,such as below:
    LDAP Server:
    company.com
    |—–develop
    |—–testing
    |—–other groups
    Apache’s RootDocument:
    localhost
    |—subvertion
    |—directory1(folder)
    |—directory2(folder)
    |—……
    |—directoryN(folder)
    and my goal is only users in develop and testing (develop+testing,not both in two)could access a directory ,for example the directory is subvertion,the subvertion could be seen just a folder under the Apache’s RootDocument.

  18. rok,
    The tip about the new version of the sync_ldap_groups_to_svn_authz was for the general public, not you. 🙂 I hope you do use it if it has value for you but it was completely unrelated. Sorry if there was any confusion.

  19. rok says:

    Jeremy,
    Ok,I really thank you for the help and maybe I will use your script for a more practical application later. That’s was a next stage of my work.
    I am sorry to disappoint your hope. Yeah ,thanks for the reply and it’s give me a lot of courage to solve my problem, though still in mind air.

  20. decafc says:

    Hi Jeremy,
    I wanted to use Directory groups for SVN Authorization (path based access control) without copying the groups from directory services to AuthzSVNAccessFile. Is that possible?

  21. decafc,
    Yes. You can use my Python script here:
    http://www.thoughtspark.org/node/26
    It is documented, tested and working. Let me know how it treats you.
    Take care,
    Jeremy

  22. decafc says:

    Thanks for your quick response !
    I already went through your website. Your script is copying the group info from Directory service to AuthzSVNAccessFile. But what I am trying to achieve is authorize a person thro Apache directly checking with Directory service to see if that person is part of some group. It is like, I don’t want to maintain the group info in AuthzSVNAccessFile, however, I will have the group name and the repo to which this group has access in AuthzSVNAccessFile.

  23. Dave Hassel says:

    What configuration has to happen on Windows/AD end to allow for LDAP or am I missing something? Confused!
    Dave

  24. Dave,
    The configuration above *is* for Active Directory. Are you running into troubles?
    Take care,
    Jeremy

  25. Dave Hassel says:

    I’m new to SVN & LDAP. Doesn’t there have be a user/pw that AD knows about? What can I use to test communication from Sun to AD (to list users/groups/etc?)

  26. Dave,
    If you read the blog above, you’ll get your answer. In the configuration, which you could just copy/paste/refactor, it has the username/password used to “bind” to the directory server, which in this case is an Active Directory instance. To test, just use any LDAP browsing tool. Google “LDAP Browser” and you see many that are free/open source that you can try right now.
    Take care,
    Jeremy

  27. Dave says:

    But doesn’t the “bind” user need to be in AD & a pw set?

  28. Dave says:

    where do I find mod_ldap.so in ColabNet’s packages?

  29. Mark Phippard says:

    The Apache modules are all statically compiled in. So they are there, you just do not see the .so

  30. decafc says:

    Hi Jeremy,
    Please answer my question posted above.
    I don’t want to copy the DS group info to AuthzSVNAccessFile because there are many groups in DS. So, is there a way I can do the authorization directly in DS. Or is there a way, where I can specify the groups which alone needs to be copied to AuthzSVNAccessFile ?

  31. decafc,
    Well, Apache let’s you use a “Require ldap-group” but it’s only blanket level authorization. As for specifying which groups could be brought over, you can create any LDAP query that you need to restrict what constitutes a valid group to bring over via my script. The –help output should give you an idea of what things you can tweak. You can also just point the script at a lower path in the directory as well.
    Take care,
    Jeremy

  32. Vide says:

    Thanks for the great article. I confirm that it worked almost out-of-the-box with Debian 5 Lenny.
    Just as a note, a mistake that could be quite common (at least I did it 😛 ): don’t forget to set repos permissions according to the Apache user. Apache must be able to phisically write in the repo directories or commits won’t work.
    Thanks again for this guide

  33. BSantos says:

    Hi. I just installed the most recent copy of CollabNet Subversion on RHEL5 as well as on Solaris 10. I was trying to get the LDAP/AD authentication going but the config errors out saying that it could not find the modules from these lines:
    LoadModule ldap_module modules/mod_ldap.so
    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
    I ran a find on the system and those files are not found. Do I need to install LDAP separately? Thanks.

  34. No. For the CollabNet binaries, the ldap modules are built into httpd statically. In that case, you can omit the two LoadModule lines.

  35. BSantos says:

    I had to remove the lines for:
    # Load Apache LDAP modules
    # Load Subversion Apache Modules
    I Finally got it working with our AD servers. Thanks again!

  36. BSantos says:

    One more thing… Do you happen to know the syntax to rotate the svn logs…
    CustomLog logs/svn_logfile “%t %u %{SVN-ACTION}e” env=SVN-ACTION
    Thanks.

  37. Daniel Wittenberg says:

    Something odd here. We’ve got our svn test server on a Fedora 9 box, everything works fine. I setup the production one on Centos 5 and all was fine until we turned on the LDAP auth. I used exactly the same config file from Fedora, made sure all modules were on, etc. and it doesn’t work. However, when I sniff the traffic from the Centos -> LDAP server I see coming back:
    LDAP searchResDone(3) success
    So it appears the LDAP server (OSX openldap) is saying that it’s all good, but yet SVN still complains. The only restriction I have is Require valid-user.
    Anyone have any idea why CentOS would fail?
    Thanks!
    Dan

  38. lFora says:

    Hi,
    Thanks for the tuto.
    But if the LDAP return the error code 773 “User must reset password”
    how do you intercept this error ?
    how do you manager this error ?
    can Apache or Subversion help the user to change the password ?
    Thanks

  39. Charles says:

    Too bad i didn’t have this post 2 years ago when i setup our subversion to authenticate on our eDirectoy tree.

  40. IFora,
    Neither Subversion or Apache will assist you in changing your password. I’d hope that the Apache error message would tell you this error occurred but if it doesn’t, I’m not sure what you could do other than checking the Apache logs to see why what you think a valid set of login credentials didn’t work.
    Charles,
    I’m glad that it appears to be helpful to you.

  41. Heinz says:

    When I login to svn via apache I have to authenticate very often again. That’s not usable. How can one stop that? So Apache remembers that I have alreadey authenticated?
    Thanks
    Heinz

  42. What are you using to access the repository? If you’re using a Subversion client, the client should cache your credentials unless you tell it otherwise. If you’re not using a Subversion client, like a web browser, it’s really up to the tool to cache credentials. Can you tell more about your setup?

  43. Heinz says:

    Using Eclipse 3.3.0 and when clicking on every Plus in the Browser Tree, I am asked for credentials. I can Klick “Save Password”, but then it’s stored on the disk and i do not want that.
    Using tortoisesvn 1.6.2 vor svn checkout, svn commit, svn update I am asked explicitly for credentials again.
    Here is my dav_svn.conf:
    RedirectMatch ^(/svn)$ $1/
    CustomLog logs/svn_logfile “%t %u %{SVN-ACTION}e” env=SVN-ACTION
    DAV svn
    SVNParentPath /var/svn
    SVNListParentPath On
    SVNAutoversioning On
    SVNReposName “Subversion Repository”
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPURL “ldap://ldapserver.domain.tld:9389/ou=People,o=company”
    AuthType Basic
    AuthName “Subversion Authentication”
    Require user xuser yuser zuser

  44. Heinz says:

    Eclipse 3.3.0 with Subclipse 1.6.x Plugin

  45. Heinz says:

    Client OS: Window$ XP
    Server:
    Subversion Server 1.4.2
    OS Linux

  46. Heinz,
    This is not a server configuration thing. No matter how you have your server configured, it’s the Subversion client that dictates credential caching. Subversion by default caches your credentials, encrypted on Windows an OS X, on your filesystem. If you do not want that, you have to explicitly tell your client not to do that. If your Subversion client has cached your credentials and you do not want that, search for the file with the cached credentials in %APPDATA%/Subversion/auth/ based on the url and then delete that file. This is a client-side issue and has nothing to do with your server configuration.

  47. freebo says:

    I have installed usvn on Ubunto, I have an LDAP server and a samba server installed on ubunto too. How can I authenticate the subversion by LDAP?? thanks for helping

  48. Eric Smalling says:

    Our LDAP has our users authenticating via their “Uid” which is a simple empoloyee number. This causes all of our commit logs to be hard to determine who-did-what. Is there a way to have the svn committer be a different ldap field than the one they use for their svn –username? In our case I’d like to use a concatenation of the user’s “givenName” and “sn” fields or, if that’s not possible, their “mail” field would suffice.

  49. Eric,
    What I’ve seen is people using the post-commit hook to handle this. What you can do is use svnlook to get the author of the newly created revision, look it up in LDAP, get the preferred name to display/store in Subversion and then update the svn:author revision property for the newly created revision with the preferred username. Shouldn’t be too hard with a little python and python-ldap.
    Take care,
    Jeremy

  50. Patricia Moss says:

    Does anyone have experience with Subversion with Apache and SLAPD? I am trying to encrypt over SSL and am not sure of the correct way to configure LDAP, Subversion and/or HTTPD and SLAPD. Thanks

  51. Rowland says:

    I have a test server with the following code in the httpd.conf file.
    It’s Apache 2.2.9 on Ubuntu Linux.
    AuthBasicProvider ldap
    AuthType Basic
    AuthzLDAPAuthoritative off
    AuthName “My Subversion server”
    AuthLDAPURL
    “ldap://my.server:389/DC=mydepartment,DC=myschool,DC=edu?sAMAccountName?sub?(objectClass=*)” NONE
    AuthLDAPBindDN “mylockeddownuser@mydepartment.myschool.edu”
    AuthLDAPBindPassword mypassword
    require valid-user
    Under this setup, everything works fine.
    However, if you put in the exact same code in the httpd.conf file on
    Windows Server 2008 enterprise with Apache 2.2.11, it does not work.
    Any ideas?

  52. Rowland,
    If you could quantify “does not work”, that would be helpful. Are you seeing errors in the Apache logs? I’d need more information since in theory, an Apache Location block should work the same on different operating systems assuming the major Apache version is the same, which in your case it is. I’ll need more information.
    Take care,
    Jeremy

  53. Rowland says:

    Hi Jeremy.
    Thank you for the fast reply. I’ve tried several different browsers (Firefox, Opera, IE8) with the same results.
    When I access the website hosted on the Win2K8 machine, I receive a 500 error:
    Server error!
    The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there was an error in a CGI script.
    If you think this is a server error, please contact the webmaster.
    Error 500
    My IP address
    10/27/09 15:31:49
    Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
    The Apache log lists:
    Content-language: en
    Content-type: text/html; charset=ISO-8859-1
    Body:———-en–
    This server could not verify that you are authorized to access
    the URL “”.
    You either supplied the wrong credentials (e.g., bad password), or your
    browser doesn’t understand how to supply the credentials required.
    In case you are allowed to request the document, please
    check your user-id and password and try again.
    Thank you again for your help.

  54. Why don’t we take this to a forum so you can paste your configuration. (http://subversion.open.collab.net/ds/viewForumSummary.do?dsForumId=3)

  55. Yasith Tharindu says:

    Hi apache 2.2.* configuration file have some problem.
    “AuthLDAPAuthoritative on” have to be change like “AuthzLDAPAuthoritative on”.
    Other than great tutorial, worked for me.
    Thanks..
    Regards..

  56. louiechristiehub says:

    I got this to work with two important changes:
    Create a file called /subversion/apache2/auth/repos.acl with contents:
    [/]
    * = rw
    Change
    AuthLDAPBindDN “CN=ldapuser,CN=Users,DC=your,DC=domain”
    to
    AuthLDAPBindDN “username@your.domain”

  57. megha says:

    Hello,
    I have set up the SVN server using Apache (LDAP+SSL). When i try to login through the Tortoise SVN client i face issues in logging in with the following error in logs “auth_ldap authenticate: user abc authentication failed; URI /test [ldap_search_ext_s() for user failed][Operations Error]”
    Wen i restart my machine i am able to login successfully.
    Apache(httpd.conf) configuration below.
    ##################
    #Subversion configuration – Enable LDAP
    DAV svn
    SVNPath C:/svnroot/test
    #Do basic password authentication in the clear
    AuthType Basic
    AuthName “Subversion Repository”
    #Make LDAP the authentication mechanism
    AuthBasicProvider “ldap”
    #Options FollowSymLinks
    Order allow,deny
    Allow from all
    #The LDAP query URL
    AuthLDAPURL “ldap://server.example.com:389/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)”
    #Make LDAP authentication is final
    AuthzLDAPAuthoritative off
    #Active Directory requires an authenticating DN to access records
    AuthLDAPBindDN “abc@example.com”
    #This is the password for the AuthLDAPBindDN user in Active Directory
    AuthLDAPBindPassword “mypasswd123”
    AuthzSVNAccessFile C:/etc/svn-acl_intel
    Require valid-user
    ##################
    Secondly, I do not want to keep the password “AuthLDAPBindPassword “mypasswd123” “. Is there a way where I can take the password as input?
    Please let me know if there is any solution to the above problem.
    Thanks
    -Megha

  58. Megha,
    If things work after a reboot, that leads me to believe that you didn’t restart Apache after you made changes to your Apache configuration and the reboot basically restarted Apache. As for storing the AuthLDAPBindPassword in clear text within httpd.conf, there is no other option. Since servers are usually secured properly, most don’t have to worry about the password being in clear text. But if you want another level of security, just create a “service account” user and have that user in your configuration.
    Take care,
    Jeremy

  59. Cheryl says:

    Jeremy,
    I have changed the httpd.conf file as to give access to configure Subversion to authenticate against multiple LDAP domains. I used the example from http://help.collab.net/index.jsp?topic=/faq/auth_svn_multiple_ldap.html. Unfortunately all the changes I have made thus far result in either a 500 Internal Server Error or a services error “Windows could not start the Apache2.2 on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code 1.”
    Each time I take another action and note the results. To get a more in-depth picture of where the errors may be coming from, I run httpd.exe from the bin directory on the server, against the httpd.conf file.
    I have researched multiple sites, entered multiple questions in different forums, etc. I really need some quick answers as this issue remains unresolved for over a month now. Unfortunately none of my colleagues have enough experience with Apache and Subversion and/or time to be of any great assistance at this time.
    Thanks,
    Cheryl

  60. Cheryl,
    Well, to get the real error it best not to stat the service via the service applet. You should invoke httpd.exe manually and see what the error is. With no real meaningful error, I can’t help any further until you can provide me more information.
    Take care,
    Jeremy

  61. cheryl says:

    Jeremy,
    Attached is both the error message upon execution of httpd.exe and a portion of the *.conf file which is used to attempt access to the subversion repositories.
    Error message returned:
    D:APPSProgram FilesApache Software FoundationApache2.2bin>httpd.exe
    Syntax error on line 511 of D:/APPS/Program Files/Apache Software Foundation/Ap
    che2.2/conf/httpd.conf:
    Bad scope encountered while parsing LDAP URL.
    # Load Apache LDAP modules
    LoadModule ldap_module modules/mod_ldap.so
    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
    LoadModule authn_alias_module modules/mod_authn_alias.so
    # Load Subversion Apache Modules
    LoadModule dav_svn_module modules/mod_dav_svn.so
    LoadModule authz_svn_module modules/mod_authz_svn.so
    #Test repository BI Internal
    # Work around authz and SVNListParentPath issue
    RedirectMatch ^(/svn)$ $1/
    #Force SSL, but don’t verify the Cert
    # LDAPVerifyServerCert off
    # LDAPTrustedMode SSL
    AuthLDAPBindDN “Current ldap ID”
    AuthLDAPBindPassword “password”
    AuthLDAPURL “ldap://rdg-ldap-lb:389/OU=users,OU=rdg,OU=us,DC=am,DC=boehringer,DC=com?sub?(objectClass=*)”
    AuthLDAPBindDN “Current ldap ID”
    AuthLDAPBindPassword “password”
    AuthLDAPURL “ldap://rdg-ldaplb:389/OU=users,OU=bai,OU=ar,DC=am,DC=boehringer,DC=com?sub?(objectClass=*)”
    DAV svn
    SVNParentPath D:DATAsvn_repository
    SVNListParentPath On
    SVNReposName “BI Internal”
    AuthzLDAPAuthoritative off
    AuthBasicProvider ldap-rdg ldap-ar
    AuthType Basic
    AuthName “BI Internal”
    # For any operations other than these, require an authenticated user.
    Require valid-user
    Require ldap-group CN=RDG-SVN Users,OU=Groups,OU=rdg,OU=us,DC=am,DC=boehringer,DC=com
    #Require ldap-group cn=RDG-SVN Users
    #
    # Require valid-user
    #
    Thanks,
    Cheryl

  62. Cheryl,
    Well, the error is pretty clear and the problem is your AuthLDAPURL is wrong. Basically, you never specify the LDAP object attribute to qualify the user id and since you omit this, it’s actually using ‘sub’ as the object attribute and it will then see no scope. If you read the part of the article above that discusses the LDAP URL, you see where my example url is dissected and it should be come clear. Just in case it isn’t, I think your AuthLDAPURL should be something like this:
    ldap://rdg-ldap-lb:389/OU=users,OU=rdg,OU=us,DC=am,DC=boehringer,DC=com?sAMAccountName?sub?(objectClass=*)
    You should see the different between your URL and mine is the inclusion of the “sAMAccountName?” addition before the “sub” scope.

  63. cheryl says:

    Jeremy,
    Here are the results of the changes I made to both the ldap ldap-ar and ldap ldap-rdg alias lines, with the results. In addition the authn_alias_module is commented out in the DSO list as well as the Load Apache Modules section of the file, just below the DSO listing.
    Changed to:
    AuthLDAPURL “ldap://rdg-ldap-lb:389/OU=users,OU=rdg,OU=us,DC=am,DC=boehringer,DC=com?sAMAccountName?sub?(objectClass=*)”
    From:AuthLDAPURL “ldap://rdg-ldaplb:389/OU=users,OU=bai,OU=ar,DC=am,DC=boehringer,DC=com?sub?(objectClass=*)”
    Result:
    D:APPSProgram FilesApache Software FoundationApache2.2bin>httpd.exe
    Syntax error on line 508 of D:/APPS/Program Files/Apache Software Foundation/Apa
    che2.2/conf/httpd.conf:
    Invalid command ‘
    Thanks,
    Cheryl

  64. Cheryl,
    Well, I don’t have your httpd.conf file so I don’t know what line 508 has on it. The error tells you what’s up, although it’s a little vague. Look at line 508 of your httpd.conf and compare the directive/command to the Apache manual. It’s probably just a typo or something at this point.
    Take care,
    Jeremy

  65. cheryl says:

    Jeremy,
    Does it matter if the module authn_alias_module is loading if you’re using the AuthnProviderAlias?
    thanks,
    Cheryl

  66. Cheryl,
    Yup. Based on the documentation:
    http://httpd.apache.org/docs/2.2/mod/mod_authn_alias.html
    The AuthnProviderAlias directive is provided by the mod_authn_alias module. If it isn’t loaded, you can’t use that directive.
    Take care,
    Jeremy

  67. cheryl says:

    Jeremy,
    When I uncomment the directive mod_authn_alias module I still receive the error message (after executing httpd.exe) Syntax error on line 509 of D:APPS…httpd.conf: The scheme was not recognized as a valid LDAP URL scheme.
    Line 509 is:
    AuthLDAPURL “ldap://rdg-ldap.am.boehringer.com/OU=users,OU=rdg,OU=us,DC=am,DC=boehringer,DC=com?sAMAccountName?sub?(objectClass=*)”
    In my httpd.conf file line 509 is contained in the following tag:
    AuthLDAPBindDN “ldap dn”
    AuthLDAPBindPassword “ldap pswd”
    AuthLDAPURL “ldap://rdg-ldap.am.boehringer.com/OU=users,OU=rdg,OU=us,DC=am,DC=boehringer,DC=com?sAMAccountName?sub?(objectClass=*)”
    I am able to use the LDAP URL above within the location tag to successfully gain access to the repositories, so I’m unclear where the failure is from.
    If looking at my conf file directly would provide a better idea, let me know the best way, to accomplish this.
    Also, there has been some suggestion to look into utilizing an SSPI module to accomplish the access within the Windows environment.
    Thanks very much for your assistance,
    Cheryl

  68. Cherly,
    Everything looks fine except you don’t have a port for your ldap url. As for SSPI, I’m not a big fan due to the module’s lack of maintenance or client operation system lock in. Your needs might make my opinion on the matter moot so feel free to proceed however you’d like.
    Take care,
    Jeremy

  69. Ryan says:

    Hi, I am new for SVN, what’s the meaning of the following line? Especially the “$1/” one?
    RedirectMatch ^(/repos)$ $1/
    Thanks a lot.

  70. Ryan,
    It tells Apache to take the redirect regex match, the part matched by “^(/repos”, which happens to only match “/repos”, and use it in the last argument of the RedirectMatch directive. This is suppose to redirect “/repos” to “/repos/”.
    Take care,
    Jeremy

  71. cheryl says:

    Jeremy,
    The following changes were made to my httpd.conf file and a not am member of the AD group required at the end of the location tag, but is a member of one of the alias URL groups. He was able to successfull see the repositories, as were members of the AD group; as expected. However, when the following entry is uncommented, #Require ldap-group CN=RDG-SVN Users,OU=Groups,OU=rdg,OU=us,DC=am,DC=boehringer,DC=com The non-group member is still apparently able to access the repositories; not as expected.
    AuthLDAPBindDN ldapDN
    AuthLDAPBindPassword password
    AuthLDAPURL ldap://rdg-ldap.am.boehringer.com/OU=Users,OU=rdg,OU=us,DC=am,DC=boehringer,DC=com?sAMAccountName?sub?(objectClass=*)
    AuthLDAPBindDN ldapDN
    AuthLDAPBindPassword password
    AuthLDAPURL ldap://rdg-ldap.am.boehringer.com/OU=Users,OU=bai,OU=ar,DC=am,DC=boehringer,DC=com?sAMAccountName?sub?(objectClass=*)
    AuthLDAPBindDN ldapDN
    AuthLDAPBindPassword password
    AuthLDAPURL ldap://bibdc01.eu.boehringer.com/OU=AIV,OU=BIPKG,OU=Users,OU=!de,OU=de,DC=eu,DC=boehringer,DC=com?sAMAccountName?sub?(objectClass=*)
    DAV svn
    SVNParentPath D:DATAsvn_repository
    SVNListParentPath On
    SVNReposName “BI Internal”
    AuthType Basic
    AuthName Internal
    AuthBasicProvider ldap-rdg ldap-ar ldap-eu
    AuthzLDAPAuthoritative on
    Require valid-user
    #Require ldap-group CN=RDG-SVN Users,OU=Groups,OU=rdg,OU=us,DC=am,DC=boehringer,DC=com
    Thanks,
    Cheryl

  72. Cheryl,
    I think that is due to the order in which you have the Require directive. “Require valid-user” basically says that any user with proper password can access. Since it was before the “Require ldap-group …”, it was basically making it where the latter Require directive was never validated against.
    Take care,
    Jeremy

  73. cheryl says:

    Jeremy,
    As you indicated in your respone, I moved the “Require valid-user” to the line after “Require ldap-group…”, with the same result. I then commented out the “Require valid-user” line, which of course blocks all access.
    I also changed the AuthzLDAPAuthoritative on to AuthzLDAPAuthoritative off to see if this would limit the scope to only members of the appropriate AD group, without success.
    Is there any other solution you can suggest, based on the many posts we have exchanged? Do you recommend any books/courses, etc. to assist me further?
    thanks again,
    Cheryl

  74. Cheryl,
    The only remaining things I can think of:
    * Use a global catalog server for your LDAP end point to ensure access to the full AD forest (Mentioned in the article)
    * Maybe the user binding to AD from Apache doesn’t have access to that group for some reason
    * Check the error log for more hints as I’m out of them
    Take care,
    Jeremy

  75. cheryl says:

    Jeremy,
    I have been told by a European colleague that using the global catalog to ensure access to the full AD forest is what he does with other applications.
    Where in the httpd.conf would the entry for 3268 be added?
    Thanks,
    Cheryl

  76. Cheryl,
    You’d use it in you LDAP url just like you put the port into any other url. So instead of:
    ldap://hostname/…
    you’d have:
    ldap://hostname:3268/…
    Take care,
    Jeremy

  77. Scott Lundgren says:

    My configuration appear to be working in that requesting the defined location triggers an auth prompt. However when using a correct username & password authentication always fails and the auth prompt never goes away until the user presses cancel.
    What could be wrong?
    subversion.conf:
    LoadModule dav_svn_module modules/mod_dav_svn.so
    LoadModule authz_svn_module modules/mod_authz_svn.so
    # Enable Subversion logging
    CustomLog logs/svn_logfile “%t %u %{SVN-ACTION}e” env=SVN-ACTION
    Location /smc
    DAV svn
    SVNPath /var/www/svn/smc
    AuthzSVNAccessFile /var/www/svn/smc/conf/svn_access.conf
    AuthBasicProvider ldap
    # LDAP Authentication & Authorization is final; do not check other databases
    AuthzLDAPAuthoritative on
    AuthType Basic
    AuthName “Service Management Center”
    AuthLDAPBindDN CN=proxyuser,OU=people,OU=organization,DC=its,DC=university,DC=edu
    AuthLDAPBindPassword password
    AuthLDAPURL ldaps://its.university.edu:636/OU=people,OU=organization,DC=its,DC=university,DC=edu?sAMAccountName?sub?(objectClass=*)
    Require valid-user
    /Location

  78. Prashant says:

    in my sf_subversion.conf I have ldap authentication enabled and there is no issues with domain users. Currently I am looking for access to local users who will not be created in ldap. Is it possible ? if yes what sort of changes needs to be done. Please note that we have installed CSFE hook on repository.

  79. Jim Williams says:

    I read your paragraph about the RedirectMatch directive and have seen it used similarly in many older posts, but I’m wondering if it’s still necessary. If I understand it, there’s a bug (?) related to SVNListParentPath and mod_dav_svn authorization where the URL must have a trailing slash. The RedirectMatch just appends one, if necessary. How can I tell if I still need to do this? Browsing the parent path seems to work fine with or without the RedirectMatch. Do I misunderstand?
    I’ve got more than sixty Location blocks giving URLs to as many SVNParentPaths. I’m trying to eliminate as much variation between these copied blocks as I can to ease maintenance of the resulting mess (also using Include, and wish I had mod_macro).
    Thanks,
    Jim

  80. Jim Williams says:

    It appears this issue is being worked, if not fixed already.
    http://subversion.tigris.org/issues/show_bug.cgi?id=2753
    Thanks,
    Jim

  81. Olivier Bourquin says:

    I have tried a lot of different things to be able to use LDAP over SSL for authentication, and i had it working with an older of subversion from opencsw.
    Now i wanted to switch to Collabnet Subversion and i always get a “ldap_simple_bind_s() failed][Can’t contact LDAP server]” error when using ldaps. With ldap only, it works, though. Are we sure that mod_ldap is compiled with SSL?
    Any advice would be greatly appreciated…
    Here’s part of my config:
    LDAPVerifyServerCert Off
    LDAPTrustedMode SSL
    LDAPTrustedGlobalCert CA_BASE64 /…/root-cert.cer
    DAV svn
    SVNPath /cs/svnrep/collabtest
    SVNAutoversioning on
    AuthType Basic
    AuthName “Subversion: collabtest”
    AuthBasicProvider ldap
    AuthLDAPURL ‘ldaps://server:7636/dc=intranet, dc=net?uid’
    AuthLDAPBindDN ‘uid=SVN,ou=Subversion,ou=Applications,dc=intranet,dc=net’
    AuthLDAPBindPassword password
    AuthzLDAPAuthoritative on
    require valid-user
    AuthzSVNAccessFile /cs/svnrep/svnconf/collabtest.authz

  82. gpitrone says:

    I’m very new to Subversion (1 week) and just loaded it on a Red Hat server. I still cannot get ldap/active directory to work. I added the lines from your snippet to the http.conf file. Is there anything else I need to install or modify?
    As admin in the console I chose ldap for authentication.
    This is the jetty log when I try to log in.
    10.10.10.10 – – [27/Aug/2010:12:27:25 -0400] “POST /csvn/j_spring_security_check HTTP/1.1” 302 0
    10.10.10.10 – – [27/Aug/2010:12:27:26 -0400] “GET /csvn/login/authfail?login_error=1 HTTP/1.1” 302 0
    10.10.10.10 – – [27/Aug/2010:12:27:26 -0400] “GET /csvn/login/auth?login_error=1 HTTP/1.1” 200 4751
    This is the console log when I try to log in.
    2010-08-27 12:28:23,153 [qtp363803606-92] ERROR springsecurity.GrailsDaoImpl – User not found: XXX
    Thanks,
    Greg

  83. Dunn Le says:

    I have the exact same issue as Greg (gpitrone | August 27, 2010 at 09:31 AM). I have been working on it for a day, but no luck. I asked ldap admin personel to look at the log file he said no request sent to the ldap server from my csvn server.
    If I know anything better I will post again.
    Dunn.

  84. Dunn Le says:

    Ok Greg, I am back, this is a really good support, Thanks Mark Phippard
    If you have the same issue like me read this thread first 4 messages you will see the answer.
    http://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=383094
    (Well, it is so easy to misinterpret the help of the console.)
    Dunn.

  85. Hi master-hands,
    I encounter one issue about LDAP integration:
    I use SSL,LDAP,Apache to set svn server(it is installed on Ubuntu 9.10). It is fine when the DC is Windows 2003 Server. But I can’t check out files from SVN Server when upgrade DC to Windows 2008 Server(x86),it will show “Server sent unexpected return value (500 Internal Server Error) in response to” after input domain username.
    The following are my configuration file contents:
    /etc/apache2/sites-available/ssl:
    SSLEngine On
    SSLCertificateFile /opt/repositories/localhost.pem
    ********
    ********
    DAV svn
    SVNParentPath /opt/repositories
    SVNListparentPath on
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthName “js”
    AuthzSVNAccessFile /opt/repositories/authz.conf
    AuthUserFile /dev/null
    AuthLDAPURL “ldap://192.168.8.10/DC=xy?sAMAccountName?sub?(objectClass=*)”
    AuthLDAPBindDN “CN=dmin,OU=ServerAdmin,DC=xy”
    AuthLDAPBindPassword soft.COM
    AuthLDAPGroupAttributeIsDN on
    AuthLDAPGroupAttribute member
    SSLRequireSSL
    Require valid-user
    Require valid-user
    I see the /var/log/apache2/error.log after input domain username(wang.hua) to check out test1 repository with svn client, it show as below:
    [Sun Sep 26 01:41:37 2010] [warn] [client 192.168.85.100] [11210] auth_ldap authenticate: user wang.hua authentication failed; URI /test1 [ldap_search_ext_s() for user failed][Operations error]
    So it is very troublesome, I am very agonising.
    Thanks for your reply.

  86. David says:

    I have the exact same issue as Greg (gpitrone | August 27, 2010 at 09:31 AM). I have been working on it for a day, but no luck. I asked ldap admin personel to look at the log file he said no request sent to the ldap server from my csvn server.
    If I know anything better I will post again.
    Dunn.
    Dunn Le | September 22, 2010 at 10:39 AM
    Ok Greg, I am back, this is a really good support, Thanks Mark Phippard
    If you have the same issue like me read this thread first 4 messages you will see the answer.
    http://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=383094
    (Well, it is so easy to misinterpret the help of the console.)
    Dunn.
    Dunn Le | September 22, 2010 at 11:20 AM
    Hi master-hands,
    I encounter one issue about LDAP integration:
    I use SSL,LDAP,Apache to set svn server(it is installed on Ubuntu 9.10). It is fine when the DC is Windows 2003 Server. But I can’t check out files from SVN Server when upgrade DC to Windows 2008 Server(x86),it will show “Server sent unexpected return value (500 Internal Server Error) in response to” after input domain username.
    The following are my configuration file contents:
    /etc/apache2/sites-available/ssl:
    SSLEngine On
    SSLCertificateFile /opt/repositories/localhost.pem
    ********
    ********
    DAV svn
    SVNParentPath /opt/repositories
    SVNListparentPath on
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthName “js”
    AuthzSVNAccessFile /opt/repositories/authz.conf
    AuthUserFile /dev/null
    AuthLDAPURL “ldap://192.168.8.10/DC=xy?sAMAccountName?sub?(objectClass=*)”
    AuthLDAPBindDN “CN=dmin,OU=ServerAdmin,DC=xy”
    AuthLDAPBindPassword soft.COM
    AuthLDAPGroupAttributeIsDN on
    AuthLDAPGroupAttribute member
    SSLRequireSSL
    Require valid-user
    Require valid-user
    I see the /var/log/apache2/error.log after input domain username(wang.hua) to check out test1 repository with svn client, it show as below:
    [Sun Sep 26 01:41:37 2010] [warn] [client 192.168.85.100] [11210] auth_ldap authenticate: user wang.hua authentication failed; URI /test1 [ldap_search_ext_s() for user failed][Operations error]
    So it is very troublesome, I am very agonising.
    Thanks for your reply.

  87. David says:

    Hi master-hands,
    I encounter one issue about LDAP integration:
    I use SSL,LDAP,Apache to set svn server(it is installed on Ubuntu 9.10). It is fine when the DC is Windows 2003 Server. But I can’t check out files from SVN Server when upgrade DC to Windows 2008 Server(x86),it will show “Server sent unexpected return value (500 Internal Server Error) in response to” after input domain username.
    The following are my configuration file contents:
    /etc/apache2/sites-available/ssl:
    SSLEngine On
    SSLCertificateFile /opt/repositories/localhost.pem
    ********
    ********
    DAV svn
    SVNParentPath /opt/repositories
    SVNListparentPath on
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthName “js”
    AuthzSVNAccessFile /opt/repositories/authz.conf
    AuthUserFile /dev/null
    AuthLDAPURL “ldap://192.168.8.10/DC=xy?sAMAccountName?sub?(objectClass=*)”
    AuthLDAPBindDN “CN=dmin,OU=ServerAdmin,DC=xy”
    AuthLDAPBindPassword soft.COM
    AuthLDAPGroupAttributeIsDN on
    AuthLDAPGroupAttribute member
    SSLRequireSSL
    Require valid-user
    Require valid-user
    I see the /var/log/apache2/error.log after input domain username(wang.hua) to check out test1 repository with svn client, it show as below:
    [Sun Sep 26 01:41:37 2010] [warn] [client 192.168.85.100] [11210] auth_ldap authenticate: user wang.hua authentication failed; URI /test1 [ldap_search_ext_s() for user failed][Operations error]
    So it is very troublesome, I am very agonising.
    Thanks for your reply.

  88. David says:

    Sorry, I am new and not familiar with it, so posted three the same comments.

  89. Qizak says:

    Hi Jeremy,
    LDAP is working with my setup in every way, I’ve also setup the sync bridge script you mention above to create local svnauthz file of AD groups (which works very well but I’d really prefer to handle everything on the LDAP server (AD)) along with 3 or 4 other methods to try and control access to sub-directories
    My repo. is set as follows (single repo – multiple project subdirectories)
    Repo/
    Repo/foo
    Repo/bar
    Repo/harry
    Using ‘require ldap-group’ (or any othe ldap statement) is there anyway at all to allow a group access to repo/foo without them having access to repo/?
    I can acheive it with a ‘matchlocation’ statement in the svn.conf but have read that can mangle SVNcommits (loses author). Also tried statements which still dont seem to do it. Basically it eseems if you restrict access to the ‘/’ – the restriction applies to all sub-folders. Am I right on that?
    I also read there’s a bug with 1.5 which means a user has to have at least read to the ‘/’ but with an authz file theres a workaround ( “/” r =*) so wondered is there is an equivalent hack for ldap-group or similar?
    Any advice appreciated.
    Q.

  90. Ronald says:

    Hi,
    I’m facing some issues in configuring the SVN with LDAP.
    ISSUE:My configuration appear to be working in that requesting the defined location triggers an auth prompt. However when using a correct username & password authentication always fails and the auth prompt never goes away until the user presses cancel.
    below is my config file.
    apache version is 2.2.x
    DAV svn
    SVNParentPath d:/repo
    SVNListParentPath On
    AuthzLDAPAuthoritative on
    AuthType Basic
    AuthBasicProvider ldap
    AuthName “repositories”
    AuthLDAPBindDN “myname@company.com”
    AuthLDAPBindPassword “password”
    AuthzSVNAccessFile “d:/repo/access.txt”
    Allow from “domain”
    AuthLDAPURL “ldap://mycompany.com:389//DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)”
    Require valid-us
    Kindly please help me..
    Regards,
    Ronald

  91. gpitrone says:

    OK I’m finally getting back into this and reading over the comments, thanks for all of the responses. In reading over one of the posts it said, “LDAP configuration only applies to the Apache Subversion server. You still have to login to the Subversion
Edge console using the built-in users”.
    So I have to ask a stupid question, we are running Subversion on a Linux Server and the Desktop Client of choice is TortoiseSVN. Is it correct to say, the developer’s desktop cannot access the server using AD/LDAP they need to access the server as a designated user that I have to manually create using the Admin Console?
    Greg

Leave a Reply

Your email address will not be published. Required fields are marked *

*