Subversion LDAP Authentication with Apache

This blog entry is now obsolete.  A newer, more in-depth version is  
available here:
Subversion with  
Apache and LDAP: Updated

More and more companies are using directory services for housing their user credentials and information.  Example directory services are Active Directory, eDirectory and OpenLDAP.  How does this relate to Subversion?  Well, in the enterprise deployments I’ve been involved with, most clients wanted to harness their existing directory services for their Subversion authentication.  This blog post will explain the simplicity of hooking up Apache to your directory service using mod_auth_ldap, giving you the ability to authenticate against your existing user data store.

As of now, the only way to utilize your directory service for authentication is by using Apache as your network layer.  This allows you to use any of the available authentication options to Apache for your Subversion authentication and with mod_auth_ldap, Apache can authenticate against your directory service for Subversion.

Before we get started modifying our Apache configuration file, lets look at the simplest Location directive possible for exposing a Subversion repository via Apache:

<Location /repos>
  # Enable Subversion
  DAV svn

  # Directory containing all repository for this path
  SVNParentPath /absolute/path/to/directory/containing/your/repositories
</Location>

Now lets modify this to add mod_auth_ldap support for the authentication portion of the Location directive above:

<Location /repos>
  # Enable Subversion
  DAV svn

  # Directory containing all repository for this path
  SVNParentPath /absolute/path/to/directory/containing/your/repositories

  # LDAP Authentication & Authorization is final; do not check other databases
  AuthLDAPAuthoritative on

  # Do basic password authentication in the clear
  AuthType Basic

  # The name of the protected area or "realm"
  AuthName "Your Subversion Repository"

  # Active Directory requires an authenticating DN to access records
  # This is the DN used to bind to the directory service
  # This is an Active Directory user account
  AuthLDAPBindDN "CN=someuser,CN=Users,DC=your,DC=domain"

  # This is the password for the AuthLDAPBindDN user in Active Directory
  AuthLDAPBindPassword somepassword

  # The LDAP query URL
  # Format: scheme://host:port/basedn?attribute?scope?filter
  # The URL below will search for all objects recursively below the basedn
  # and validate against the sAMAccountName attribute
  AuthLDAPURL "ldap://your.domain:389/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"

  # Require authentication for this Location
  Require valid-user
</Location>

Use the in-line comments in the code above to better understand the Apache configuration directives for mod_auth_ldap.  With the above example (which you need to modify for your environment) you can have Apache authenticate your Subversion users against your Active Directory directory service.  The above will also work for other directory services but with minor modifications in the AuthLDAPURL.  For more information, you can consult the mod_auth_ldap documentation linked to in the first paragraph.  Although this post is short, I hope it adds value to those who read it.

Tagged with: , , , , , , , , , , , , , , , , ,
Posted in Subversion
52 comments on “Subversion LDAP Authentication with Apache
  1. Tom Clancy says:

    Thanks for this. Is there anything special you need to do when using ActiveDirectory? I had a terrible time (http://ask.metafilter.com/11397/ ) trying to do this a few years back.

    • Swapnil Soor says:

      Thanks for this useful info, I did the same. And when I hit the SVN URL , it does prompt for the credentials, but gives following error in error.log file

      verification of user id ‘xxxxx’ not configured

      Any Idea?

      I tried the same credentials which I use for sso. Which is expected to work

      Thanks,
      Swapnil

  2. Tom,
    There is nothing special when using Active Directory as the service mod_auth_ldap is querying. Since the ldap url is a standard url with query string, it really comes down to understanding the ldap query capabilities to get exactly what you need. The url mentioned in the blog post is for Active Directory so you could take that and use it with minor modifications. One thing I have ran into when using Active Directory is the port number. The default port of 389 usually works properly as mentioned above but depending on your domain structure, you may need to search the Global Catalog that has a default port number of 3268. That is the only thing I’ve ran into recently with regard to Apache, mod_auth_ldap and Active Directory. I hope this helps.
    Take care,
    Jeremy
    P.S. – The url you provided isn’t working right now so I cannot address your previous issue. Feel free to create a forum post at the following Subversion forum so we can take care of you: http://subversion.open.collab.net/servlets/ForumMessageList?forumID=42

  3. Mark Keisler says:

    Although it doesn’t relate directly to LDAP auth, it bears mentioning that one should use the AuthzSVNNoAuthWhenAnonymousAllowed setting to avoid an Authen query when read access is anonymous (* = r).

  4. Bryan Hughes says:

    Was having problems with Apache/DAV/SVN not letting users authenticate. As mentioned in the above posts I had to authenticate against the Global Catalog and change the port to 3268.
    Thanks for the info all.

  5. Luxspes says:

    Mmmm, not working for me…
    I think I migh need links to documentation on how to customize
    AuthLDAPBindDN “CN=someuser,CN=Users,DC=your,DC=domain”
    and
    AuthLDAPURL “ldap://your.domain:389/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)”
    for my particular environment… any hints? (I am just not sure whic parts of those “string” are “generic” and which parts are not…
    I am using http://www.jxplorer.org/ to connect to my Active Directory (and learn stuff about it) and seems to be working… I used what I learned from JXExplorer to configure Ignite OpenFire with LDAP http://www.igniterealtime.org/ … and it now it is working… I am failing to do it with Subversion…
    Perhaps you can recommend me a How-To or book with a chapter on Subversion/LDAP integration?

  6. Luxspes says:

    Hi!
    For example… someuser… should match the login… of… the Domain Administrator? or just a Domain user?
    what should I put instead of “sAMAccountName”… (or should I leave that untouched?)
    Any hints?

  7. Dave Stauffer says:

    I figured I would share what I did to get SubVersion hooked up to my Microsoft AD server for authentication using mod_authz_ldap ( http://authzldap.othello.ch/index.html ) . It’s not perfect but… I hope this helps. I probably could have gotten this up and running faster using mod_auth_ldap but authz is more flexible in some ways (and not in others). The two biggest problems I ran into were (1) that authz doesn’t use the AuthLDAPURL variable. All of the other variables mentioned above only needed ‘z’ added to them to work. See their reference link for all vars and note numerous speling mistakes (like they list a scope as ‘onlevel’ when it is actually ‘onelevel’ – argh!). (2) Microsoft AD requires a user name and password to ‘bind’ to. I know this is in the example above but the way AD behaves doesn’t make it clear why. I was able to get it to work without the bind name and password if my AuthzLDAPUserKey was set to = CN but I would have had to enter “David, Stauffer” as my user name in the login dialog box instead of my actual login account name = “daves” (fyi – the escapes the comma). I was trying to get away from the bind because I didnt want to store a user name and password in plain text in my httpd.conf file. It turns out that MS requires the bind variable instead of using the input user name/password to bind. This is just plain stupid.
    Here goes:
    LoadModule dav_module /usr/lib64/httpd/modules/mod_dav.so
    LoadModule dav_svn_module modules/mod_dav_svn.so
    LoadModule authz_ldap_module modules/mod_authz_ldap.so
    Location /repos
    DAV svn
    SVNParentPath /cm/svn/repos
    # Disables Path Checking
    SVNPathAuthz off
    # Display available Repos
    SVNListParentPath on
    # LDAP Authentication & Authorization is final; do not check other databases
    # I was paranoid that if i set this on it would impact some other authentication
    # used for another app. When everything is setup for AD auth
    # this can probably be changed to on
    AuthzLDAPAuthoritative off
    AuthType Basic
    AuthName “Subversion Repository”
    # LDAP Server to bind to
    AuthzLDAPServer “our.svn.server:389”
    # the search scope
    AuthzLDAPMethod ldap
    # Bind to AD User: needs to bind to a user to search. It appears any user will do.
    # Without this a subtree search will not work
    # Thanks to the user who pointed out http://www.jxplorer.org/ I used this to figure out what the CN of my account was!!!
    AuthzLDAPBindDN “CN=user, name,OU=office,OU=Users,DC=ourdc,DC=org”
    AuthzLDAPBindPassword “password”
    # Search for this attribute: the sAMAccountName is what contains the AD login name
    AuthzLDAPUserKey sAMAccountName
    # User Base: this is where the search will start. Really it should be changed to a
    # group search to see if a user is in a valid group. in this case only users
    # in this office AD OU will be able to access subversion
    AuthzLDAPUserBase “OU=office,OU=Users,DC=ourdc,DC=org”
    # Set the search scope: subtree allows the search to go to AD levels below the base. I used subtree because we have a hierarchy (its not flat). base or onelevel may work for you and would be faster
    AuthzLDAPUserScope subtree
    Require valid-user
    /Location

  8. Michel says:

    Hi All,
    You can find the complete package of active directory subversion and apache on http://opensourcedevelopment.net/text-tutorials/apache-subversion-active-directory.html
    So, you don’t need to compile apache, subversion. This is the complete package with document.
    Regards

  9. Dave Stauffer says:

    I should have been a little clearer in my earlier comment. Jeremy’s method of connecting works perfectly fine. I posted mine as an alternative based on two issues I was having. One I wanted to do Authorization via an AD group. Right now svn is limited to using an authorization file. In a large enterprise I want to be able to do both Authentication AND authorization via AD and not have to go around editing text files every time a new user wants access to a repository. Hopefully the next release of svn will add this functionality. The other thing this method does is get rid a an svn ‘nuisance’ where attempting to browse the /repos parent path generates a page cannot be displayed error. Posts on other sites recommend a workaround of changing the Location directive to Location /repos/ but you have to remember to add the trailing / when you use the url. The point here is that Jeremy’s description works well if you don’t mind having to maintain an authorization file and it uses a pretty standard apache module. The alternative uses a non-standard apache module and can cause a little confusion so I apologize if I wasn’t clear in my earlier post. I think the biggest problem people have is connecting/binding/searching AD so I would highly recommend you look at jxplorer or some other LDAP browser. If you are having problems binding to the AD using this tool it probably explains why you can’t get the configuration to work. Depending on how your windows guys setup AD that AuthLDAPBindDN could be pretty long. Assuming the bind was sucessful and port number correct the only thing you need to change about the AuthLDAPURL is the “DC=your,DC=domain”. The sAMAccountName is one of many available AD fields associated with your record. You probably want to browse to your record and verify what information is stored in that field and if you need to use something different. As i mentioned earlier our CN’s are “firstname, lastname” so the bind was tricky because you had to use firstname, lastname to escape out the comma but the sAMAccountName was FirstInitialFirstX#LettersOfLastName. Thats why you should browse AD first to see what values you should be binding with versus entering into the username/password dialog when you browse to the repos.

  10. Michel,
    Thanks for making this information public knowledge. On a side-note, the offerings from CollabNet [1] also include Apache with LDAP and SSL functionality.
    Take care,
    Jeremy
    [1] http://downloads.open.collab.net

  11. Mike says:

    Hi All,
    Everyone is facing the problem of integration of apache/Subversion with Active directory. I found the document with complete package and it takes only 5-10 mins to install. You can also use the same and if any problem, Logon to http://forum.opensourcedevelopment.net, It is really very good.
    Path is:- http://opensourcedevelopment.net/text-tutorials/apache-subversion-active-directory.html
    Regards
    Mike

  12. RObart says:

    Thanks Mike, for link it is working for me

  13. David Drolet says:

    I have been looking for an answer to a problem for a while.
    I filter on samaccountname
    the dn contains cn=”lastname, firstname”,…
    Some users can bind with their password and others can’t.
    I have noticed that the ones that have different first names in samaccountname and cn aren’t working.
    example
    john.smith samaccountname
    smith, Johnathan CN
    won’t authenticate
    But
    david.smith samaccountname
    smith, david CN
    authenticates correctly
    anyway suggestions on how to handle this issue.
    Thanks,
    David

  14. David,
    Can you take this offline in our support forums? It would be great to know more about this issue. In the forum post, can you provide the following:
    AuthLDAPURL from the Apache configuration file
    The exact scenario where it works, including username used and LDAP CN
    The exact scenario where it fails, including usernamd used and LDAP CN
    Just in case you cannot find the forums, here is the one most applicable:
    http://subversion.open.collab.net/servlets/ForumMessageList?forumID=42
    Take care,
    Jeremy

  15. Anthony says:

    Is there anyway to get bind Active Directory with Apache without having the AuthLDAPBindPassword stored in cleartext in the httpd.conf because this seems as if it could result in some security issues.

  16. Joachim Nilsson says:

    Anthony, yes there is a different way. You can use Winbind to join a corporate AD, which PAM can make use of, which in turn enables you to use “AuthPAM_Enabled” in your dav_svn.conf.

  17. Anthony says:

    Well, I’m not using a Linux machine to set this up. And mostly what I’m seeing is that Winbind is a tool on Linux machines to help integrate Linux machines into Windows environments. If you could point me in the right direction with a link…that’d be great.

  18. David Simon says:

    I’ve googling for the ability to avoid the initial search phase in mod_authz_ldap and simply bind to the ldap directory with information supplied by the user through the basic-auth credentials.
    I would have assumed this to be the preferred method of authenticating a user, in terms of performance (1 stage of connection, auth, and search removed) and obviously security, but all articles I’ve found, like the above, require either an anonymously available directory or credentials (and clear text at that) embedded in the config?
    This strikes me as rather peculiar, so I’m assuming I’ve missed something blatantly obvious that everyone else seems to know?
    Would someone help a poor man out and enlighten me.
    Thanks. 🙂

  19. Sebastian says:

    Hey Guys,
    our Dev team is moving to subversion, and I’m doin the ldap auth.
    The configuration on top nearly works for me, but:
    on entering the correct username and password, nothing happens. the popup with password request appears again. Apache2 logfile sais nothing, and AD logfile sais: User access granted.
    On typing a false password, apache log sais: user denied.
    So I assume, that the Apache config works well, or not?
    Any ideas?
    Thanks.

  20. Anil Desai says:

    Here i installed both apache and subversion. also i create some users by htpasswd command. but the problem is here all users are able to access all repository but i want limitation on access…
    suppose i create one repository like “ProjectOne” and i have to give access of this repository to only user “rock” than what i have to do. pls help me.

  21. Pere Cortada says:

    Anil, the access privileges for anonymous users are set in the conf directory inside your repository directory
    Search for the line
    anon-access = read
    and change for
    anon-access = none
    I think it’s the simplest way. Somebody knows another form to make this?

  22. Paul Hatcher says:

    I’m just trying this out, and the Apache config appears ok, unfortunately, it never authenticates me, but does allow read and write to the repository 🙁
    Any ideas about how to debug this?
    Paul

  23. Paul,
    Paste your directive. It sounds like you are missing “Require valid-user”
    Mark

  24. Joe Chiang says:

    this article is not for people who use apache 2.2 httpd
    because of the update for mod_auth_ldap (changed to mod_authz_ldap in apache2.2)
    http://httpd.apache.org/docs/2.2/new_features_2_2.html#module
    so in the dav_svn.conf file it should’ve been this
    #AuthzLDAPAuthoritative off
    and NOT (notice the Z)
    #AuthLDAPAuthoritative off
    it has to be OFF for apache 2.2
    here is some other lines in dav_svn.conf, i have edited
    #AuthLDAPURL “ldap://192.168.1.1:389/OU=People,DC=google,DC=com?uid?sub?(objectClass=*)”
    #AuthBasicProvider ldap
    finally got mine to work
    after about 6 hours of work
    i hope this will save other people’s time

  25. Márcio Luciano Donada says:

    Hi Jeremy,
    The implementation of the ldap autenticated is not functional.

  26. Marcio,
    Yes, I know. It was originally published when we were still suggesting Subversion use Apache 2.0.x. When Apache 2.2.x was released, there were changes to things like the LDAP stuff that cause the configuration above to no lnoger work. A little reading of the Apache documentation should help translate this 2.0.x stuff to 2.2.x. Maybe I should just come out with an updated blog entry with both 2.0.x and 2.2.x outlined…
    Take care,
    Jeremy
    P.S. – Further discussion of this topic should be done in the Subversion Server forum on subversion.open.collab.net. (http://subversion.open.collab.net/ds/viewForumSummary.do?dsForumId=3)

  27. Luxspes says:

    With Collabnet SVB 1.5 it crashes: Aplicación con errores: httpd.exe, versión: 2.2.8.0, módulo con error: wldap32.dll, versión 5.1.2600.2180, dirección de error 0x00006d07.
    Any hints?

  28. Vic says:

    I finally got it to work by copying the mod_authnz_ldap.so and mod_ldap.so from apache 2.2.9 and putting them into the 2.2.8 httpd/modulesdirectory.
    –Vic

  29. Sameer says:

    I am able to connect and authenticate through LDAP, but everyone authenticated can access the whole repository. Can I create user groups and restrict them to different levels when i am authenticating through LDAP?
    – Sameer

  30. Matt Doar says:

    Well, here’s what worked with CollabNet Subversion 1.5.2 on CentOS 4.6
    authenticating against Active Directory.
    Jeremy – yes, I think it’s time for a new blog post about Subversion 1.5.2 since lots of people seem to have been lead down the wrong path by the outdated information here.
    ~Matt
    This is conf/collabnet_subversion_httpd.conf, missing the location elements that were stripped by this blog.
    ServerName svn.yourcompany.com:443
    Listen 443
    User apache
    Group apache
    #LogLevel debug
    # Enable Subversion
    DAV svn
    # Directory containing all repository for this path
    SVNParentPath /data/mysvnroot
    AuthType Basic
    AuthName “Subversion repositories”
    AuthBasicProvider ldap
    AuthLDAPURL “ldap://your_ad_server:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)”
    # Active Directory requires an authenticating DN to access records
    # This is the DN used to bind to the directory service
    # This is an Active Directory user account
    AuthLDAPBindDN “CN=…,DC=dusthq,DC=dust-inc,DC=com”
    # This is the password for the AuthLDAPBindDN user in Active Directory
    AuthLDAPBindPassword secret
    # Tell Apache not to use LDAP for authorization information
    AuthzLDAPAuthoritative off
    # Where the authorization file is located
    AuthzSVNAccessFile /etc/opt/CollabNet_Subversion/conf/svn_access_file
    # Use https only
    SSLRequireSSL
    Require valid-user
    The rest of the process was as follows:
    1. Install Subversion
    On 9/17/08 I used:
    CollabNetSubversion-client-1.5.2-1.i386.rpm
    CollabNetSubversion-extras-1.5.2-1.i386.rpm
    CollabNetSubversion-server-1.5.2-1.i386.rpm
    $ sudo rpm -Uvh CollabNetSubversion*1.5.2*.rpm
    This installs the necessary files in /opt/CollabNet_Subversion and
    /etc/opt/CollabNet_Subversion. Log files will be in
    /var/opt/CollabNet_Subversion by default.
    2. Configure for http access
    In /etc/opt/CollabNet_Subversion/conf as the user for apache and modify
    collabnet_subversion_httpd.conf.
    3. Install an SSL Certificate
    I also tweaked httpd.conf and extras/httpd-ssl.conf for https
    I followed the steps at http://www.cb1inc.com/2007/05/13/creating-self-signed-certs-on-apache-2.2 which were
    $ mkdir mycerts
    $ cd mycerts
    $ openssl genrsa -out mycert.key 1024
    $ openssl req -new -key mycert.key -out mycert.csr
    $ openssl x509 -req -days 1000 -in mycert.csr -signkey mycert.key -out mycert.cert
    $ cp mycert.key /etc/opt/CollabNet_Subversion/conf/server.key
    $ cp mycert.cert /etc/opt/CollabNet_Subversion/conf/server.crt
    4. Start Apache
    sudo /etc/init.d/collabnet_subversion start
    This is using Apache 2.2
    5. Check the log files in /var/opt/CollabNet_Subversion/logs
    Expect to see warnings about authentication being rejected since
    mod_dav_svn checks authentication once against AD without a password (?)
    6. Check the authorization in /etc/opt/CollabNet_Subversion/conf/svn_auth_file
    7. Test access
    Browse to https://svn.yourcompany.com/your_repo
    You should be warned about a self-signed certificate. Accept the
    certificate as trusted. Then enter your AD userid and password and you
    should see a listing of the files in the scratch repository.
    == Troubleshooting ==
    a) Check the error log in /var/opt/CollabNet_Subversion/logs
    b) Open up port 80 and try http instead of https
    c) Comment out all but the DAV and SVNParentPath from the collabnet_subversion_httpd.conf file and retry

  31. Imran says:

    Hey there,
    I am trying to setup apache2.x+svn+ldap(MS Active Directory). I want to use existing users from my active directory. Server is window 20003 and client machines are running Windows XP.
    I created my repositories and I have svnserve as service already. (functional)
    However, I hate the fact i will have to maintain a separate list of users and passwords.
    So far I have Apache 2.x installed on a windows 2003 sever box.
    I attempted to modify the httpd file based on the stuff above but appache 2.0 will not start.
    Can someone please assist me in this matter?
    When I look at my active directory structure I have the following format…
    pp.domain.org [main starting point]
    -Users
    -Groups
    -SomeGroup
    —-somefolder1
    —-somefolder2
    ——*subversion [this is the username I supply in my config]
    I think the following line is where my error is happening
    AuthLDAPURL “ldap://pp.domain.org:389/DC=pp,DC=domain,DC=org?sAMAccountName?sub?(objectClass=*)”
    AuthLDAPBindDN “CN=subversion,CN=somefolder2,CN=SomeGroup,DC=pp,DC=domain,DC=org”
    Regards,
    i.s

  32. Saurabh says:

    Hi Guys,
    I have done everything as Instructed.However I am not getting the Prompt to do the repository.
    NameVirtualHost *:8080
    DocumentRoot C:svn_repository
    ServerName http://domain.com
    ErrorLog “C:Program FilesApache Software FoundationApache2.2logserror.log”
    LogLevel warn
    CustomLog “C:Program FilesApache Software FoundationApache2.2logsaccess.log” combined
    ServerSignature On
    DAV svn
    SVNParentPath C:svn_repository
    SVNListParentPath on
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPBindDN CN=Administrator,DC=domain,DC=com
    AuthLDAPBindPassword password
    AuthLDAPURL “ldap://server.address:3268/DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)”
    require valid-user
    Please tell me if I need to add something else to this to make it work.I have written this in a separate file called Subversion.conf and included that in the end of Httpd.conf.
    Thanks
    Saurabh

  33. Leandro says:

    Hello everyone,
    Like others have shown in this thread, I have been able to get Apache+SVN+LDAP to work for the initial authentication to the SVN server through Apache (my example is for Active Directory LDAP):
    Location /svn
    DAV svn
    SVNParentPath /var/www/svn
    SVNListParentPath On
    # Require SSL connection for password protection.
    # SSLRequireSSL
    AuthType Basic
    AuthBasicProvider ldap
    AuthName “My Subversion Server”
    AuthLDAPURL “ldap://ldapserver.mydomain.com:389/ou=User,ou=mydomain,ou=com?sAMAccountName?sub?(objectClass=user)”
    AuthLDAPBindDN cn=binduser,ou=User,ou=mydomain,ou=com
    AuthLDAPBindPassword *******
    AuthLDAPGroupAttribute memberOf
    AuthzLDAPAuthoritative Off
    Require valid-user
    /Location
    But I am running into another problem which I haven’t seen an answer to. As is probably typical, I would like to restrict access to particular SVN repositories to users which have certain group memberships. I do the following additional configuration:
    Location /svn/Repository1
    Require ldap-group CN=mygroup,OU=Group,OU=mydomain,OU=com
    /Location
    And I get this error when I try to access that particular SVN repository via the web browser:
    “access to /svn/Repository1/ failed, reason: require directives present and no Authoritative handler.”
    From what I understand and containers do inheritance of directives from parent and containers so I shouldn’t need to duplicate all the config.
    Does someone have any idea how to properly configure custom tailored access to particular SVN repositories?
    thank you for the help,
    leandro

  34. Doug says:

    I’m struggling like others to get 1.5.0 working with Active Directory. Can someone post a list of modules they are using in their httpd.conf. I have the following but I can’t get authenticated. I’m prompted for an ID and password but it won’t accept anything.
    LoadModule ldap_module modules/mod_ldap.so
    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

  35. Antoine says:

    Hello all,
    anyone have examples on setting up ldap on a Solaris 10 box ?
    Thanks in advanced,
    Antoine

  36. Rob Bruce says:

    Saurabh
    Use member instead of memberOf. What happens is that the group dn is looked up and then the user’s dn is checked to see if it exists within the group property, so in the case of active directory, this is member. I tried memberOf first, expecting it to look at for the group dn in the user’s memberOf list, but aparanly not.

  37. michael says:

    The info submitted by “Sameer | August 01, 2008 at 12:58 AM” works great. Our environment is RHEL 4.5, and I used the 1.5.0 version of Collabnet Subversion.
    One thing I noticed is that I did not need to use AuthLDAPBindDN (I guess our AD allows anonymous bind for searches), so I commented out the following:
    # Active Directory requires an authenticating DN to access records
    # This is the DN used to bind to the directory service
    # This is an Active Directory user account
    #AuthLDAPBindDN “CN=…,DC=dusthq,DC=dust-inc,DC=com”
    # This is the password for the AuthLDAPBindDN user in Active Directory
    #AuthLDAPBindPassword secret
    I like to keep the configs as simple as possible, and not have usernames and passwords in config files if I can avoid it.
    Thanks so much for posting all this info!
    michael

  38. michael says:

    Correction… It was this post I was following –> “Matt Doar | September 17, 2008 at 03:36 PM”

  39. Chiranjeevi GK says:

    i have configured the SVN for the http:// access using apache
    i want some help regarding Look and feel which is giving default is not looking good. I want to change that please help me.

  40. yanok says:

    My configuration was working with apache 2.2.8 + svn 1.4.6, I updated to apache 2.2.10 + svn 1.5.4 and the authentication stopped working while throwing a authentication failed; URI /repository/main [ldap_search_ext_s() for user failed][Operations Error] and a 500 Internal Server Error page…
    DAV svn
    SVNParentPath f:/svnrepositories
    SVNIndexXSLT “/repos-web/view/repos.xsl”
    AuthType Basic
    AuthBasicProvider ldap
    AuthName “[GPI] Repositorio Subversion”
    AuthzLDAPAuthoritative off
    AuthLDAPBindDN “ad.user@dproject.com”
    AuthLDAPBindPassword uF2SODWAHiW0e
    AuthLDAPURL “ldap://10.0.0.3:389/DC=dproject,DC=com?sAMAccountName?sub?(objectClass=*)” NONE
    AuthzSVNAccessFile f:/svnrepositories/global_authz_options
    #
    Require valid-user
    #
    Does anyone have an idea about whats happening here???
    Thnx!!!

  41. yanok says:

    By the way Chiranjeevi GK u can use the one I do… http://www.reposstyle.com/ there are download links and how to information.
    Regards.

  42. Naraio is LAMP like software. It contains Apache, MySQL, PHP, Perl, Openssl, Phpmyadmin, OpenLDAP, Subversion, Ruby, Python, Phpldapadmin, and Trac. Trac and Subversion are authenticates user with integrated ldap. Naraio is easy, secure and flexible.
    WebSite:-http://sourceforge.net/projects/naraio/

  43. Another option for those of you who’d like web-based administration would be to use Atlassian’s Crowd.
    The connector also allows you to integrate groups from LDAP on top of password integration.
    http://confluence.atlassian.com/display/CROWD/Integrating+Crowd+with+Subversion

  44. Alain O'Dea says:

    LDAP is a PITA and not worth the trouble if you can use Windows authentication mechanisms directly. The mod_auth_sspi SSPI Apache authentication module provides an easy way to configure and support ActiveDirectory authentication without the security risks and maintenance problems of having a plain-text password in a configuration file.
    Although I generally prefer Linux for server operations, the security disadvantages and configuration complexity of Apache LDAP far outweigh the technical merits of underlying system. Why put in the work and glue to use a standard interface when you can far more easily use a proprietary one purpose built to authenticate against ActiveDirectory? mod_auth_sspi is far easier to configure for ActiveDirectory than LDAP and supports some compelling features like NTLM single sign-on.
    I have published a comprehensive step-by-step how-to that takes a bare Windows Server install and turns it into a fully functional Subversion server with SSL and ActiveDirectory authentication.

  45. Alain O'Dea says:

    Comment system ate my link 🙁
    My alternative solution using mod_auth_sspi to authenticate to ActiveDirectory is at the follwing link:
    http://concise-software.blogspot.com/2009/02/instant-windows-svn-server-with-ssl-and.html

  46. Alain,
    There is nothing about using LDAP that makes it more or less difficult than other systems. The usual problem is people resort to Googling for some article to copy/paste/refactor and don’t know what they are doing. You end up with a problem you can’t fix because you don’t understand the configuration parts. I have an updated Subversion with Apache and LDAP blog entry coming out today. Stay tuned to find out how easy it really can be once you have an article that explains things.
    Take care,
    Jeremy

  47. Guillermo Castellon says:

    How do I obtain the LDAP modules that will work with collabnet’s rpm?
    I made it work building my own apache with the apr build with the ldap option but when I integrate these modules into your own packaged apache it doesn’t work because I think the aprs that come with the Collabnets rpms are not built with open ldap. I must say I got it working but using apache on its own not with collabnet’s packaged one. How can you make this a lot effortless?
    Any thouhgts?
    Guillermo

  48. Guillermo,
    The LDAP modules are built statically into the Apache executable so there is no shared module to obtain. No need to load said modules either.
    Take care,
    Jeremy

  49. Guillermo Castellon says:

    Jeremy:
    I think I posted my problem in the wrong blog. This question is for the latest apache 2.2.13 that is packaged with the latest rpms.
    In that article you mention that we need this:
    # Load Apache LDAP modules
    LoadModule ldap_module modules/mod_ldap.so
    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
    However, the new SVN 1.6.5 installed from the rpms doesn’t recognize that LDAP binding without the LDAP mods being in the modules. As mentioned before I had to build them from scratch into the latest http-2.2.13 server but when I share them into the collabnet location: /opt/CollabNet_Subversion/modules the http server packaged with the latest redhat binaries they don’t work. So what I have to do is run apache on its own. However, I like to use the one is provided inside the latest redhat rpms. This way I can use all the cool functionality that comes with the configuration setup. I hope that I making sense 🙂
    Guillermo

  50. Guillermo Castellon says:

    I see what you are telling…All I had to do was removed the folllowing:
    ” Load Apache LDAP modules
    LoadModule ldap_module modules/mod_ldap.so
    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so”
    As you mentioned, it is statically build and therefore I guess it is not needed.
    I like to see how much this has come arround. Nice 🙂

  51. Vishal says:

    Nice article, well elaborated.

    Just some additional info-

    here is the link to install SVN with ldap and ssl on ubuntu from source.
    http://www.scmtechblog.net/2013/12/svn-installation-with-ldap-swig-with-ssl.html

    partitioning your SVNROOT
    http://www.scmtechblog.net/2014/01/clusterpartitioning-of-svn-root.html

    ViewVC installation and configuration
    http://www.scmtechblog.net/2013/12/viewvc-installation-for-svn.html

    Your comment is awaiting moderation.

Leave a Reply

Your email address will not be published. Required fields are marked *

*