Scribd
Upload
19 views

SVN Authentication and Authorization: Admin Guide

This document provides a guide for configuring authentication and authorization of SVN users via Active Directory and OpenLDAP using an Apache web server module and MySQL database. It describes compiling and installing the mod_authz_svn_db Apache module, configuring Apache to authenticate against LDAP servers and authorize access using a MySQL database based on the repository and user. The full configuration specifies LDAP aliases, Apache location settings, and an example Apache configuration file.

Uploaded by

George Gabriel Secara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views

SVN Authentication and Authorization: Admin Guide

This document provides a guide for configuring authentication and authorization of SVN users via Active Directory and OpenLDAP using an Apache web server module and MySQL database. It describes compiling and installing the mod_authz_svn_db Apache module, configuring Apache to authenticate against LDAP servers and authorize access using a MySQL database based on the repository and user. The full configuration specifies LDAP aliases, Apache location settings, and an example Apache configuration file.

Uploaded by

George Gabriel Secara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Admin Guide

SVN Authentication and Authorization


Authentication and Authorization of SVN Users
via Active Directory and OpenLDAP

G
erard Bieli, Christian Haller

Windisch, 14th August 2009

Contents
1 Prerequisites

2 Compilation and installation of the Apache Module

3 Configuration
3.1 Creating the SVN repository or repositories . . . . . . . . . . . . . . .
3.2 Creating the database . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3 Loading the required Apache modules . . . . . . . . . . . . . . . . . .
3.4 Configuring the Apache web server . . . . . . . . . . . . . . . . . . . .
3.4.1 Defining the LDAP aliases . . . . . . . . . . . . . . . . . . . . .
3.4.2 Configuring the Apache Location for the SVN repository . . .
3.4.3 Entering the global server commands for LDAP over SSL/TLS
3.4.4 The full Apache SVN example configuration . . . . . . . . . . .

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

7
7
7
9
10
10
10
16
17

Abstract
This document contains a guide for administrators to implement a solution for SVN LDAP authentication and authorisation with the help of a database. This solution was tested on a Linux server with
Kernel version 2.6.26.
The solution consists of:
Secure SSL Authentication against more than one non-redundant LDAP Server.
Secure SSL Authentication against redundant Active Directory Domain Controllers.
SVN Authorisation with the help of a MySQL Database.
The solution uses a non standard module called mod authz svn db
for the SVN database based authorisation.

developed by Christopher Wojno

Figure 0.1 shows the whole solution detailed in one picture. A user types in his or her credentials into
the SVN client login fields (1). The SVN client then sends this credentials via HTTP basic auth to
the Apache server (2). After receiving the login data, the LDAP module tries to authenticate the user
against the LDAP servers (with the help of the alias module) (3). After the successful authentication,
the module mod authz svn db queries the MySQL database to check whether the user has access rights
on the desired repository or not (4). If the user has the necessary rights, the dav svn module delivers
the SVN data to the client (5 and 6).

SVN
Repositories

Apache

DAV SVN
Modul
6

retrieve data
from repo

deliver data
Authz SVN
DB Modul

SVN Client

2
HTTP Basic Auth

authorise
user

LDAP
Modul

credentials
Alias Modul

authenticate
user

OpenLDAP

Active
Directory
EDU

Active
Directory
ADM

Figure 0.1: Schematic of the whole solution

http://christopher.wojno.com/articles/2007/08/19/what-is-mod authz svn db

Authorization
DB

1 Prerequisites
To successfully implement the solution described in this document, it is assumed that the reader has
basic knowledge of linux systems administration. This includes:
Installation of packages via apt.
Being familiar with the bash shell.
In order to successfully implement the configuration specified in this document, there are some system
requirements to cover.
It is assumed that the apache web server runs a Debian 5 32bit Linux with Kernel 2.6.26-1-686 or
later. The module compilation has not been tested on 64bit systems or Windows. Due to the fact
that the Apache module framework should be platform independent, it might also work on these
systems. In order to successfully implement a LDAP authentication system, a working OpenLDAP,
Active Directory server or another LDAP server is needed. It is also possible to query multiple non
redundant LDAP servers in a specified order. If a secure SSL/TLS connection is desired, a valid SSL
certificate must be available on the LDAP server(s).
All the steps and configurations in this document are intended to be executed on the server on which
the Apache web server is installed.
The following debian packages need to be installed in order to successfully compile the mod authz svn db
module:
Package
apache2 v2.2.9
libapache2-svn v1.5.1
apache2-threaded-dev v2.2.9
libsvn-dev v1.5.1
libmysqlclient15-dev v5.0.51a
libmysqlclient15off v5.0.51a

Notes
apache server meta package
apache svn module
apache headers and build tools
svn headers
mysql development libraries and headers
mysql client library

To create and manage the SVN repository, the following package should be installed:
Package
subversion v1.5.1

Notes
svn client, svn administration tool and svn server

To have a MySQL database server available on the same server, the following packages should be
installed:
Package
Notes
mysql-server v5.0.51a
mysql server meta package
phpmyadmin v4:2.11.8.1
php administration platform to manage the database (URL:
http://localhost/phpmyadmin)

2 Compilation and installation of the Apache


Module
If all the packages in chapter 1 have been installed, the compilation and installation of the module
mod authz svn db should work without any difficulties by simply executing the build script from the
modules ZIP file.
In order to build the module, follow these instructions:
1. Unzip the mod authz svn db.zip file to /tmp/mod authz svn db.
2. Change to the directory /tmp/mod authz svn db.
3. Execute the build.sh script with root priviledges.
The build.sh script builds and installs the module mod authz svn db with the help of the Apache apxs2
tool into the Apache modules folder. If the build and installation process was successful, the directory
/usr/lib/apache2/modules should contain the mod authz svn db mysql.so file.
Listing 2.1 shows the content of the build file.
Listing 2.1: mod authz svn db build script
#! / b i n / b a s h
#s t o p t h e apache s e r v e r
/ e t c / i n i t . d/ apache2 s t o p
#change t o t h e mysql d i r e c t o r y
cd mysql
#c o m p i l e t h e module
#n o t e : apxs2 i s t h e apache b u i l d h e l p e r which i s used t o b u i l d modules .
GCC d o e s not work ! ! ! ! !
apxs2 c I / u s r / i n c l u d e / s u b v e r s i o n 1 I . . L / u s r / l i b / l m y s q l c l i e n t
mod authz svn db mysql . c
#i n s t a l l t h e module i n t o t h e apache modules d i r e c t o r y ( u s u a l l y / u s e r / l i b /
apache2 / modules )
apxs2 i e n a u t h z s v n d b m y s q l m o d u l e mod authz svn db mysql . l a
#s t a r t t h e s e r v e r
/ e t c / i n i t . d/ apache2 s t a r t
#change t o t h e o r i g i n a l d i r e c t o r y
cd . .

Chapter 2. Compilation and installation of the Apache Module


If the installation was successful, the output on the console should be similar to Listing 2.2.
Listing 2.2: Output of the buildscript
S t o p p i n g web s e r v e r : apache2 .
/ u s r / s h a r e / apr 1.0/ b u i l d / l i b t o o l s i l e n t mode=c o m p i l e t a g=d i s a b l e
s t a t i c i 4 8 6 l i n u x gnug c c p r e f e r p i c DLINUX=2 D GNU SOURCE
D LARGEFILE64 SOURCE D REENTRANT I / u s r / i n c l u d e / apr 1.0 I / u s r /
i n c l u d e / mysql I / u s r / i n c l u d e / o p e n s s l I / u s r / i n c l u d e / p o s t g r e s q l I / u s r /
i n c l u d e / xmltok p t h r e a d
I / u s r / i n c l u d e / apache2 I / u s r / i n c l u d e / apr
1.0
I / u s r / i n c l u d e / apr 1.0 I / u s r / i n c l u d e / p o s t g r e s q l I / u s r / i n c l u d e
/ mysql I / u s r / i n c l u d e / s u b v e r s i o n 1 I . . c o mod authz svn db mysql .
l o mod authz svn db mysql . c && touch mod authz svn db mysql . s l o
/ u s r / s h a r e / apr 1.0/ b u i l d / l i b t o o l s i l e n t mode=l i n k t a g=d i s a b l e
s t a t i c i 4 8 6 l i n u x gnug c c o mod authz svn db mysql . l a L/ u s r / l i b /
l m y s q l c l i e n t r p a t h / u s r / l i b / apache2 / modules module avoidv e r s i o n
mod authz svn db mysql . l o
/ u s r / s h a r e / apache2 / b u i l d / i n s t d s o . sh SH LIBTOOL=/ u s r / s h a r e / apr 1.0/ b u i l d /
l i b t o o l mod authz svn db mysql . l a / u s r / l i b / apache2 / modules
/ u s r / s h a r e / apr 1.0/ b u i l d / l i b t o o l mode= i n s t a l l cp mod authz svn db mysql
. l a / u s r / l i b / apache2 / modules /
cp . l i b s / mod authz svn db mysql . s o / u s r / l i b / apache2 / modules /
mod authz svn db mysql . s o
cp . l i b s / mod authz svn db mysql . l a i / u s r / l i b / apache2 / modules /
mod authz svn db mysql . l a
PATH=$PATH: / s b i n l d c o n f i g n / u s r / l i b / apache2 / modules

L i b r a r i e s have been i n s t a l l e d i n :
/ u s r / l i b / apache2 / modules
I f you e v e r happen t o want t o l i n k a g a i n s t i n s t a l l e d l i b r a r i e s
i n a g i v e n d i r e c t o r y , LIBDIR , you must e i t h e r u s e l i b t o o l , and
s p e c i f y t h e f u l l pathname o f t h e l i b r a r y , o r u s e t h e LLIBDIR
f l a g d u r i n g l i n k i n g and do a t l e a s t one o f t h e f o l l o w i n g :
add LIBDIR t o t h e LD LIBRARY PATH environment v a r i a b l e
during execution
add LIBDIR t o t h e LD RUN PATH environment v a r i a b l e
during l i n k i n g
u s e t h e Wl,r p a t h Wl , LIBDIR l i n k e r f l a g
have your system a d m i n i s t r a t o r add LIBDIR t o / e t c / l d . s o . co nf
See any o p e r a t i n g system documentation about s h a r e d l i b r a r i e s f o r
more i n f o r m a t i o n , such a s t h e l d ( 1 ) and l d . s o ( 8 ) manual p a g e s .

chmod 644 / u s r / l i b / apache2 / modules / mod authz svn db mysql . s o


S t a r t i n g web s e r v e r : apache2 .

Admin Guide

SVN Authentication and Authorization

3 Configuration
This chapter shows how to configure the Apache web server and the database in order to make the
solution fully functional.

3.1 Creating the SVN repository or repositories


To create a new repository called example rep follow these instructions:
1. Change to the directory where the repository or repositories should be created (e.g. /data).
2. Create a SVN repository with svnadmin create example_rep.
3. Change the owner and the group of the created repository to www-data (chgrp -R and chown -R).

3.2 Creating the database


To create the database on the MySQL server follow these instructions:
1. Connect to the MySQL server either with phpmyadmin (URL: http://localhost/phpmyadmin)
or the command line client.
2. Execute the contents of the create db.sql file contained in the mod authz svn db.zip.
3. Create a database user mod svn with only SELECT permissions. This user is used by the
mod authz svn db module to query the database.
After the successful creation of the database, the MySQL server should have a database called svn perm
with seven data tables. Listing 3.1 shows the SQL commands for creating the database with its data
tables.
Listing 3.1: Database creation
CREATE DATABASE svnperm DEFAULT CHARACTER SET u t f 8 COLLATE
utf8 unicode ci ;
USE svnperm ;
CREATE TABLE a u t h z s v n r e p o s i t o r y
(
id INT( 1 1 ) NOT NULL AUTO INCREMENT,
name VARCHAR( 2 5 5 ) NOT NULL UNIQUE,
PRIMARY KEY ( id ) ,
INDEX r e po n a m e i d x ( name )
) ENGINE=InnoDB ;

Chapter 3. Configuration

3.2. Creating the database

CREATE TABLE a u t h z s v n u s e r
(
id INT( 1 1 ) NOT NULL AUTO INCREMENT,
name VARCHAR( 2 5 5 ) NOT NULL UNIQUE,
PRIMARY KEY ( id ) ,
INDEX u s e r n a m e i d x ( name )
) ENGINE=InnoDB ;

CREATE TABLE a u t h z s v n r e p o p a t h
(
id INT( 1 1 ) NOT NULL AUTO INCREMENT,
r e p o s i t o r y i d INT( 1 1 ) NOT NULL,
path VARCHAR( 2 5 5 ) NOT NULL,
PRIMARY KEY ( id ) ,
UNIQUE ( r e p o s i t o r y i d , path ) ,
FOREIGN KEY r e p o s i t o r y i d i d x f k ( r e p o s i t o r y i d ) REFERENCES
a u t h z s v n r e p o s i t o r y ( id ) ON DELETE CASCADE
) ENGINE=InnoDB ;

CREATE TABLE a u t h z s v n u s e r p e r m i s s i o n
(
u s e r i d INT( 1 1 ) NOT NULL,
r e p o s i t o r y p a t h i d INT( 1 1 ) NOT NULL,
read TINYINT ( 1 ) NOT NULL,
write TINYINT ( 1 ) NOT NULL,
recursive TINYINT ( 1 ) NOT NULL,
PRIMARY KEY ( u s e r i d , r e p o s i t o r y p a t h i d ) ,
FOREIGN KEY u s e r i d i d x f k ( u s e r i d ) REFERENCES a u t h z s v n u s e r ( id ) ON
DELETE CASCADE,
FOREIGN KEY r e p o p a t h i d i d x f k ( r e p o s i t o r y p a t h i d ) REFERENCES
a u t h z s v n r e p o p a t h ( id ) ON DELETE CASCADE
) ENGINE=InnoDB ;

CREATE TABLE a u t h z s v n g r o u p
(
id INT( 1 1 ) NOT NULL AUTO INCREMENT,
name VARCHAR( 2 5 5 ) NOT NULL UNIQUE,
PRIMARY KEY ( id ) ,
INDEX group name idx ( name )
) ENGINE=InnoDB ;

CREATE TABLE authz svn groupmembership


(
id INT( 1 1 ) NOT NULL AUTO INCREMENT,
u s e r i d INT( 1 1 ) NOT NULL,

Admin Guide

SVN Authentication and Authorization

Chapter 3. Configuration

3.3. Loading the required Apache modules

g r o u p i d INT( 1 1 ) NOT NULL,


PRIMARY KEY ( id ) ,
UNIQUE ( u s e r i d , g r o u p i d ) ,
FOREIGN KEY u s e r i d i d x f k ( u s e r i d ) REFERENCES a u t h z s v n u s e r ( id ) ON
DELETE CASCADE,
FOREIGN KEY g r o u p i d i d x f k ( g r o u p i d ) REFERENCES a u t h z s v n g r o u p ( id )
ON DELETE CASCADE
) ENGINE=InnoDB ;

CREATE TABLE a u t h z s v n g r o u p p e r m i s s i o n
(
id INT( 1 1 ) NOT NULL AUTO INCREMENT,
g r o u p i d INT( 1 1 ) NOT NULL,
r e p o s i t o r y p a t h i d INT( 1 1 ) NOT NULL,
read TINYINT ( 1 ) NOT NULL,
write TINYINT ( 1 ) NOT NULL,
recursive TINYINT ( 1 ) NOT NULL,
PRIMARY KEY ( id ) ,
UNIQUE ( g r o u p i d , r e p o s i t o r y p a t h i d ) ,
FOREIGN KEY r e p o p a t h i d i d x f k ( r e p o s i t o r y p a t h i d ) REFERENCES
a u t h z s v n r e p o p a t h ( id ) ON DELETE CASCADE,
FOREIGN KEY g r o u p i d i d x f k ( g r o u p i d ) REFERENCES a u t h z s v n g r o u p ( id )
ON DELETE CASCADE
) ENGINE=InnoDB ;

3.3 Loading the required Apache modules


There are certain modules which need to be loaded:
1. Make sure the dav svn module is activated (which should be the case after installing it via apt).
2. Edit the file /etc/apache2/mods-enabled/dav svn.load and append the line
LoadModule authz svn db mysql module /usr/lib/apache2/modules/mod authz svn db mysql.so
to load the mod authz svn db module. Listing 3.2 shows the new content of the file dav svn.load.
3. Enable the module mod authn alias by executing the command a2enmod authn_alias.
4. Enable the module mod authnz ldap by executing the command a2enmod authnz_ldap.
Listing 3.2: Content of the new dav svn.load
# Depends : dav
LoadModule dav svn module / u s r / l i b / apache2 / modules / mod dav svn . s o
LoadModule a u t h z s v n m o d u l e / u s r / l i b / apache2 / modules / mod authz svn . s o
LoadModule a u t h z s v n d b m y s q l m o d u l e / u s r / l i b / apache2 / modules /
mod authz svn db mysql . s o

Admin Guide

SVN Authentication and Authorization

Chapter 3. Configuration

3.4. Configuring the Apache web server

3.4 Configuring the Apache web server


3.4.1 Defining the LDAP aliases
In the dav svn.conf file the necessary alias definitions need to be created at the beginning of the file.
Listing 3.3 shows the structure of an alias definition for an LDAP connection. Details to the configuration of Apache aliases can be found at http://httpd.apache.org/docs/2.2/mod/mod authn alias.html.
A complete example configuration is available in chapter 3.4.4.
Listing 3.3: Alias definition
<A u t h n P r o v i d e r A l i a s l d a p a l i a s 1 >
AuthLDAPBindDN . . .
AuthLDAPBindPassword . . .
AuthLDAPURL . . .
</A u t h n P r o v i d e r A l i a s >
Table 3.1 shows the common LDAP ports which can be used within the command string of AuthLDAPURL.

Port
389
636
3268
3269

Table 3.1: LDAP Ports


Explanation
Standard LDAP Port
LDAP port for secure SSL connections
Global Catalog port used by Active Directory
Secure Global Catalog port used by Active Directory

3.4.2 Configuring the Apache Location for the SVN repository


After creating the aliases, define a Location. A location is a part of the URL where the SVN repository
should be accessible. Details about the definition of a Location are available at
http://httpd.apache.org/docs/2.2/en/mod/core.html#location.
Listing 3.4 shows the structure of a Location definition. It contains three sections:
1. The SVN section contains the SVN commands or directives defined by the mod dav svn module.
Details at
http://svnbook.red-bean.com/en/1.5/svn-book.html#svn.ref.mod dav svn.
2. Details on the authentication section can be found at
http://httpd.apache.org/docs/2.2/mod/mod auth basic.html.
3. This section contains the directives for the mod authz svn db module. All the available directives
are explained in Listing 3.5.
Listing 3.4: Location configuration
<L o c a t i o n / example repo >
#s e c t i o n 1 :
DAV svn
SVNPath . . .

Admin Guide

10

SVN Authentication and Authorization

Chapter 3. Configuration

3.4. Configuring the Apache web server

#s e c t i o n 2 :
AuthBasicProvider a l i a s 1 a l i a s 2
AuthType B a s i c
AuthName . . .
r e q u i r e v a l i d u s e r

...

#s e c t i o n 3 :
AuthzSVNDBHost . . .
AuthzSVNDBPort . . .
AuthzSVNDBName . . .
AuthzSVNDBUsername . . .
AuthzSVNDBPassword . . .
</L o c a tio n >
Listing 3.5 contains part of the readme file to the mod authz svn db module 1 . It was included in this
document because it is unknown for how long it will be available on the developers webpage.
Listing 3.5: mod authz svn db directives
In o r d e r t o c o n f i g u r e mod authz svn db , Apache2 n e e d s t o be t o l d how t h e
d a t a b a s e i s c o n f i g u r e d . This c o n f i g u r a t i o n i s r e a d o n l y on boot i f you p l a c e
i t i n t h e v h o s t s c o n f i g u r a t i o n f i l e s ( i t i t s t r o n g l y recommended t h a t you do
f o r p e r f o r m a n c e r e a s o n s ) . Although you can put i t i n t h e . h t a c c e s s f i l e s ,
this practice i s strongly discouraged .
AuthzSVNDBAuthoritative
<On | Off>
Optional
Default :
On
Description :
I f enabled , mod authz svn db w i l l be t h e f i n a l j u d g e o f
a c c e s s a u t h o r i z a t i o n . Although o t h e r a u t h o r i z a t i o n modules may run
b e f o r e i t , i f mod authz svn db i s run , no o t h e r modules w i l l be
c o n s u l t e d . I f s e t t o Off , i f t h e u s e r i s not found by
mod authz svn db , a n o t h e r a u t h o r i z a t i o n module can t a k e o v e r f o r
mod authz svn db .
Notes :
This i s r e a l l y o n l y u s e f u l i f you want
t o u s e mod auth svn db and some o t h e r module t o a u t h o r i z e u s e r s .
Warnings :
None
AuthzSVNDBHost
<s t r i n g >
Required
Default :
localhost
Description :
This i s t h e h o s t where your d a t a b a s e can be c o n t a c t e d .
IP a d d r e s s e s a r e recommended f o r speed , but you may a l s o u s e
hostnames such a s www. wojno . com o r l o c a l h o s t
Notes :
None
Warnings :
None
AuthzSVNDBPort
<u n s i g n e d i n t e g e r (1 65535)>
Required
Default :
The d e f a u l t f o r t h e d a t a b a s e s o f t w a r e t o
which one i s c o n n e c t i n g .
Description :
This i s t h e p o r t on t h e AuthzSVNDBHost on which your
d a t a b a s e i s l i s t e n i n g f o r new c o n n e c t i o n s .
1

http://svn.wojno.com/mod authz svn db/trunk/README

Admin Guide

11

SVN Authentication and Authorization

Chapter 3. Configuration
Notes :
Warnings :

3.4. Configuring the Apache web server


None
None

AuthzSVNDBName
<s t r i n g >
Required
Default :
N/A
Description :
This i s t h e name o f t h e d a t a b a s e t h a t c o n t a i n s t h e
a u t h o r i z a t i o n t a b l e s a s d e s c r i b e d i n s e c t i o n V.
Notes :
None
Warnings :
None
AuthzSVNDBUsername
<s t r i n g >
Required
Default :
N/A
Description :
This i s t h e username used t o c o n n e c t t o t h e d a t a b a s e
AuthzSVNDBName a t AuthzSVNDBHost
Notes :
None
Warnings :
None
AuthzSVNDBPassword
<s t r i n g >
O p t i o n a l i f AuthzSVNDBPasswordFile used
Default :
N/A
Description :
The password t o u s e when a c c e s s i n g t h e d a t a b a s e (
d a t a b a s e a u t h e n t i c a t i o n ) , o v e r r i d e s t h e s p e c i f i e d password f i l e . I t
i s recommended t h a t a password f i l e be used i n s t e a d o f t h i s d i r e c t i v e
i f the c o n f i g u r a t i o n f i l e i s p u b l i c l y v i s i b l e .
Notes :
See AuthzSVNDBPasswordFile
Warnings :
I f t h e c o n f i g u r a t i o n f i l e i n which t h i s
d i r e c t i v e i s used i s v i s i b l e t o t h e p u b l i c , p e o p l e w i l l be a b l e t o
s e e your d a t a b a s e password ! Use AuthzSVNDBPasswordFile i n s t e a d !
AuthzSVNDBUserTable
<s t r i n g >
Optional
Default :
authz svn user
Description :
The name o f t h e t a b l e i n AuthzSVNDBName t h a t c o n t a i n s
t h e l i s t o f u s e r s ( s e e s e c t i o n V)
Notes :
None
Warnings :
None
AuthzSVNDBUserColumn <s t r i n g >
Optional
Default :
name
Description :
The name o f t h e column i n AuthzSVNDBUserColumn t h a t
c o n t a i n s t h e name o f t h e u s e r s
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBUserIDColumn
<s t r i n g >
Optional
Default :
id
Description :
The name o f t h e column i n AuthzSVNDBUserColumn t h a t
c o n t a i n s t h e numeric ID o f t h e u s e r s
Notes :
I f your d a t a b a s e d o e s not have ID s f o r
e v e r y u s e r , then your d a t a b a s e d e s i g n e r n e e d s t o be f i r e d . This i s a
r e q u i r e d part of the database .
Notes :
See S e c t i o n V

Admin Guide

12

SVN Authentication and Authorization

Chapter 3. Configuration

3.4. Configuring the Apache web server

Warnings :

None

AuthzSVNDBRepositoryTable
<s t r i n g >
Optional
Default :
authz svn repository
Description :
The name o f t h e t a b l e i n AuthzSVNDBName t h a t c o n t a i n s
t h e l i s t o f r e p o s i t o r y names ( not p a t h s )
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBRepositoryColumn
<s t r i n g >
Optional
Default :
name
Description :
The name o f t h e column i n AuthzSVNDBUserColumn t h a t
c o n t a i n s t h e name o f t h e r e p o s i t o r i e s
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBRepositoryIDColumn <s t r i n g >
Optional
Default :
id
Description :
The name o f t h e column i n AuthzSVNDBUserColumn t h a t
c o n t a i n s t h e numeric ID o f t h e r e p o s i t o r i e s
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBGroupMembershipTable
<s t r i n g >
Optional
Default :
authz svn groupmembership
Description :
The name o f t h e t a b l e i n AuthzSVNDBName t h a t c o n t a i n s
t h e matching o f u s e r ID s and group ID s i n d i c a t i n g membership i n a
group
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBGroupMembershipUserColumn
Optional
Default :
Description :
The name o f t h e
d a t a b a s e . This i s where t h e
groups .
Notes :
Warnings :
AuthzSVNDBGroupMembershipGroupColumn
Optional
Default :
Description :
The name o f t h e
d a t a b a s e . This i s where t h e
groups .
Notes :
Warnings :
AuthzSVNDBUPermissionTable
Optional
Default :

Admin Guide

<s t r i n g >
user id
u s e r column i n t h e group membership
user id i s s p e c i f i e d to l i n k u s e r s to
See S e c t i o n V
None
<s t r i n g >
group id
group column i n t h e group membership
group i d i s s p e c i f i e d t o l i n k u s e r s t o
See S e c t i o n V
None

<s t r i n g >
authz svn userpermission

13

SVN Authentication and Authorization

Chapter 3. Configuration

3.4. Configuring the Apache web server

Description :
The name o f t h e t a b l e where u s e r l e v e l p e r m i s s i o n s (R/W/
R e c u r s i v e ) a r e s t o r e d . This t a b l e c o n t a i n s t h e data t o a l l o w Apache
t o g r a n t and r e j e c t i n d i v i d u a l u s e r s from a c c e s s i n g a p a r t i c u l a r
repository .
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBUPermissionUserColumn
<s t r i n g >
Optional
Default :
user id
Description :
This i s where t h e u s e r s i d i s s t o r e i n t h e
u s e r p e r m i s s i o n t a b l e and l i n k s u s e r s t o r e p o s i t o r i e s .
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBUPermissionPathColumn
<s t r i n g >
Optional
Default :
repository id
Description :
This i s where t h e r e p o s i t o r y s i d i s s t o r e i n t h e
u s e r p e r m i s s i o n t a b l e and l i n k s u s e r s t o r e p o s i t o r i e s .
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBUPermissionReadColumn
<s t r i n g >
Optional
Default :
read
Description :
This i s t h e name o f t h e column i n t h e d a t a b a s e t h a t
grants or revokes the a b i l i t y o f a user to read a r e p o s i t o r y .
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBUPermissionWriteColumn
<s t r i n g >
Optional
Default :
write
Description :
This i s t h e name o f t h e column i n t h e d a t a b a s e t h a t
grants or revokes the a b i l i t y of a user to write to a r e p o s i t o r y .
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBUPermissionRecursiveColumn <s t r i n g >
Optional
Default :
recursive
Description :
This i s t h e name o f t h e column i n t h e d a t a b a s e t h a t
c o n t r o l s whether a u s e r s p e r m i s s i o n s a r e t o be p r o p a g a t e d t o c h i l d
d i r e c t o r i e s in a repository .
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBGPermissionTable
<s t r i n g >
Optional
Default :
authz svn grouppermission
Description :
The name o f t h e t a b l e where groupl e v e l p e r m i s s i o n s (R/W
/ R e c u r s i v e ) a r e s t o r e d . This t a b l e c o n t a i n s t h e data t o a l l o w Apache
t o g r a n t and r e j e c t g r o u p s from a c c e s s i n g a p a r t i c u l a r r e p o s i t o r y .
Notes :
See S e c t i o n V
Warnings :
None

Admin Guide

14

SVN Authentication and Authorization

Chapter 3. Configuration

3.4. Configuring the Apache web server

AuthzSVNDBGPermissionGroupColumn
<s t r i n g >
Optional
Default :
group id
Description :
This i s where t h e group s i d i s s t o r e i n t h e
g r o u p p e r m i s s i o n t a b l e and l i n k s g r o u p s t o r e p o s i t o r i e s .
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBGPermissionPathColumn
<s t r i n g >
Optional
Default :
repository id
Description :
This i s where t h e r e p o s i t o r y s i d i s s t o r e i n t h e
g r o u p p e r m i s s i o n t a b l e and l i n k s g r o u p s t o r e p o s i t o r i e s .
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBGPermissionReadColumn
<s t r i n g >
Optional
Default :
read
Description :
This i s t h e name o f t h e column i n t h e d a t a b a s e t h a t
g r a n t s o r r e v o k e s t h e a b i l i t y o f a group t o r e a d a r e p o s i t o r y .
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBGPermissionWriteColumn
<s t r i n g >
Optional
Default :
write
Description :
This i s t h e name o f t h e column i n t h e d a t a b a s e t h a t
g r a n t s o r r e v o k e s t h e a b i l i t y o f a group t o w r i t e t o a r e p o s i t o r y .
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBGPermissionRecursiveColumn <s t r i n g >
Optional
Default :
recursive
Description :
This i s t h e name o f t h e column i n t h e d a t a b a s e t h a t
c o n t r o l s whether a group s p e r m i s s i o n s a r e t o be p r o p a g a t e d t o c h i l d
d i r e c t o r i e s in a repository .
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBRepoPathTable
<s t r i n g >
Optional
Default :
authz svn repopath
Description :
The t a b l e name f o r t h a t t a b l e t h a t c o n t a i n s a l i s t i n g o f
a l l r e p o s i t o r y p a t h s f o r apache t o s e r v e . Such p a t h s a r e a v a i l a b l e
a s URI s appended t o t h e Apache s e r v e r URL. I . E . i f t h e authz SVN DAV
p a r e n t path i s l o c a t e d a t : h t t p : / / svn . s e r v e r . com/ svndav and one o f
t h e r e p o s i t o r y p a t h s i s m y p r o j e c t , then one may s p e c i f y : h t t p : / /
svn . s e r v e r . com/ svndav / m y p r o j e c t t o a c c e s s t h e r e p o s i t o r y .
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBRepoPathPathColumn
Optional

Admin Guide

<s t r i n g >

15

SVN Authentication and Authorization

Chapter 3. Configuration

3.4. Configuring the Apache web server

Default :
path
Description :
The column i n t h e t a b l e t h a t s t o r e s t h e s t r i n g path t o
t h e r e p o s i t o r y , o r a subd i r e c t o r y w i t h i n t h e r e p o s i t o r y . T h e r e f o r e ,
any subd i r e c t o r i e s w i t h i n a r e p o s i t o r y can be e x p l i c i t l y named h e r e .
Once named , u s e r and group p e r m i s s i o n s can be a p p l i e d t o t h o s e p a t h s
.
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBRepoPathRepositoryColumn
<s t r i n g >
Optional
Default :
repository id
Description :
The column t h a t s t o r e s t h e t a r g e t r e p o s i t o r y i d t o which
t h e path i s l i n k e d and w i t h i n which t h e path i s c o n t a i n e d . I . E . i f
t h e r e p o s i t o r y m y p r o j e c t has branch , trunk , and tag , t h e
AuthzSVNDBRepoPathPathColumn can be / trunk o r / branch .
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBRepoPathIDColumn
<s t r i n g >
Optional
Default :
id
Description :
The name o f t h e primary key i n d e x column f o r t h e Path
t a b l e . I f your d a t a b a s e d o e s not have one , f i r e your d a t a b a s e
d e s i g n e r . A l l t a b l e s need primary k e y s .
Notes :
See S e c t i o n V
Warnings :
None
AuthzSVNDBPasswordFile
<s t r i n g >
Optional
Default :
NULL ( Not used )
Description :
This i s a f a l l back i n t h e e v e n t a f l a t f i l e i s t o be
used f o r a u t h e n t i c a t i o n . P l e a s e note , u s i n g t h i s f i l e may h e l p debug
t h e i n s t a l l a t i o n o f t h e module , but i s a s e c u r i t y r i s k a s a l l
pass words must be s t o r e d i n p l a i n t e x t . I t i s recommended t h a t t h i s
f i l e be used o n l y f o r development and o n l y be r e a d a b l e t o an
a d m i n i s t r a t o r and Apache .
Notes :
See S e c t i o n V
Warnings :
Using a password f i l e i s a s e c u r i t y r i s k
! Use o n l y f o r development and i n e n s u r e t a r g e t f i l e i s r e a d a b l e ,
w r i t e a b l e , and e x e c u t a b l e o n l y by r o o t and Apache s u s e r .

3.4.3 Entering the global server commands for LDAP over SSL/TLS
If a SSL/TLS connection to the LDAP servers is needed and if a self signed certificate is used, a few
global commands are necessary. There are two possibilities when using a self signed certificate. Either
the certificate verification is turned off with the global command LDAPVerifyServerCert Off or the
path to the certificate of the SSL certificate authority (CA) must be specified with the command
LDAPTrustedGlobalCert <cert type> <cert path>.

Admin Guide

16

SVN Authentication and Authorization

Chapter 3. Configuration

3.4. Configuring the Apache web server

3.4.4 The full Apache SVN example configuration


Listing 3.6: Content of the httpd.conf file
1
2

LDAPVerifyServerCert On
LDAPTrustedGlobalCert CA BASE64 LDAPTrustedGlobalCert CA BASE64 / e t c / apache2 /
c e r t / c a c e r t . pem

Listing 3.7: Content of the dav svn.conf file


1 <A u t h n P r o v i d e r A l i a s l d a p openldap>
2
#
3
#A u t h e n t i c a t i o n data f o r t h e OpenLDAP s e r v e r
4
#
5
6
AuthLDAPBindDN CN=admin , dc=imvs , dc=t e c h n i k , dc=fhnw , dc=ch
7
AuthLDAPBindPassword pw
8
AuthLDAPURL l d a p : / / l o c a l h o s t : 3 8 9 /DC=imvs ,DC=t e c h n i k ,DC=fhnw ,DC=ch ? cn ? sub

? ( o b j e c t C l a s s=p e r s o n ) NONE
9 </A u t h n P r o v i d e r A l i a s >
10
11 <A u t h n P r o v i d e r A l i a s l d a p adstud>
12
#
13
#A u t h e n t i c a t i o n data f o r t h e edu domain
14
#
15
16
#For AD, a bind DN and password i s n e c e s s a r y b e c a u s e anonymous b i n d i n g
17
18
19
20
21
22

isn t allowed f o r searching


AuthLDAPBindDN user@edu . ds . fhnw . ch
AuthLDAPBindPassword pw

#check t h e two redundant domain c o n t r o l l e r s


#3269 i s t h e g l o b a l c a t a l o g s s l s e r v e r p o r t .
AuthLDAPURL l d a p : / / dsemu11 . edu . ds . fhnw . ch : 3 2 6 9 dsemu12 . edu . ds . fhnw . ch
: 6 3 6 / ou=edu , ou=prod ,DC=edu ,DC=ds ,DC=fhnw ,DC=ch ? m a i l ? sub ? ( o b j e c t C l a s s=
p e r s o n ) SSL
23 </A u t h n P r o v i d e r A l i a s >
24
25 <A u t h n P r o v i d e r A l i a s l d a p adadm>
26
#
27
#A u t h e n t i c a t i o n data f o r t h e adm domain
28
#
29
30
#For AD, a bind DN and password i s n e c e s s a r y b e c a u s e anonymous b i n d i n g
31
32
33
34

isn t allowed f o r searching


AuthLDAPBindDN user@edu . ds . fhnw . ch
AuthLDAPBindPassword pw

AuthLDAPURL l d a p : / / dsamu11 . i c t . fhnw . ch : 6 3 6 dsamu12 . i c t . fhnw . ch : 6 3 6 /OU=


adm ,OU=Prod ,DC=adm ,DC=ds ,DC=fhnw ,DC=ch ? m a i l ? sub ? ( o b j e c t C l a s s=p e r s o n )
SSL
35 </A u t h n P r o v i d e r A l i a s >
36
37 <L o c a t i o n / example repo >
38
#SVN s e c t i o n :
39
DAV svn
40
SVNPath / data / e x a m p l e r e p o

Admin Guide

17

SVN Authentication and Authorization

Chapter 3. Configuration
41
42
43
44
45
46
47
48
49
50
51
52
53
54

3.4. Configuring the Apache web server

#A u t h e n t i c a t i o n s e c t i o n
A u t h B a s i c P r o v i d e r openldap ads t u d adadm
AuthType B a s i c
AuthName For a c c e s s i n g t h e r e p o s i t o r y , an a u t h e n t i c a t i o n i s needed
r e q u i r e v a l i d u s e r
#A u t o r i z a t i o n
AuthzSVNDBHost l o c a l h o s t
AuthzSVNDBPort 3 3 0 6
AuthzSVNDBName svnperm
AuthzSVNDBUsername svn mod
AuthzSVNDBPassword pw
</L o c a t i o n >

Admin Guide

18

SVN Authentication and Authorization

You might also like