LDAP authorization in SVN using Apache

    Hi, comrades

    , I will post my version of LDAP authorization settings using Apache.
    It is more detailed than already described .

    What is needed:

    Necessary actions:
    1. Install Apache in C: \ Apache.
    2. Install SVN in C: \ SVN.
    3. Install openssl in C: \ openssl.
    4. move openssl.cnf to c: \ openssl
    5. We create (or copy) a repository.
      svnadmin create c:/repositories/test
      svnadmin create c:/repositories/secure

    6. create ssl certificates: where svn.example.com is your domain name
      openssl req -config openssl.cnf -new -out svn.example.com.csr
      openssl rsa -in privkey.pem -out svn.example.com.key
      openssl x509 -in svn.example.com.csr -out svn.example.com.cert -req -signkey svn.example.com.key -days 1000

    7. copy all .dll and .so from C: \ SVN \ bin to c: \ Apache \ modules
    8. copy .cert and .key files from C: \ openssl to C: \ Apache \ conf
    9. edit C: \ Apache \ conf \ httpd.conf
      LoadModule dav_module modules/mod_dav.so
      LoadModule dav_svn_module modules/mod_dav_svn.so
      LoadModule authz_svn_module modules/mod_authz_svn.so
      LoadModule ldap_module modules/mod_ldap.so
      LoadModule ssl_module modules/mod_ssl.so
      LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

      Listen 443

      Include conf/extra/httpd-vhosts.conf

    10. edit C: \ Apache \ conf \ extra \ httpd-vhosts.conf
              SSLEngine on
              SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
              #указываем имена на файлы сертификатов
              SSLCertificateFile conf/svn.example.com.cert
              SSLCertificateKeyFile conf/svn.example.com.key
              SetEnvIf User-Agent ".*MSIE.*" \
               nokeepalive ssl-unclean-shutdown \
               downgrade-1.0 force-response-1.0
          #делаем редирект с корневого пути
          RedirectMatch ^(/)$ http://google.com
          #указываем общие настройки для всех репозиториев
              Order allow,deny
              Allow from all
              AuthType Basic
              AuthBasicProvider ldap
              AuthzLDAPAuthoritative off
              AuthName "SVN main repo"
          #Указываем путь к LDAP серверу. Важно помнить, что без SSL используется ldap:// и порт 3268
          #Так же возможен вариант с портами 389 и 390 для SSL
              AuthLDAPURL "ldaps://myDC.domain.com:3269/DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
          #указываем DN путь к пользователю, который будет биндится к LDAP серверу.
              AuthLDAPBindDN "CN=Apache_bind,OU=users,OU=my,DC=domain,DC=com"
          #Пароль в ОТКРЫТОМ виде
              AuthLDAPBindPassword qweqwe
              AuthLDAPGroupAttributeIsDN on
              AuthLDAPGroupAttribute member
          #запрет на анонимов
              SVNPathAuthz on
              AuthzSVNAnonymous off
             #указываем путь к нашему созданному тестовому репозиторию
              DAV svn
              AuthName "SVN Test"
              SVNPath С:/repositories/test
              SVNListparentPath off
              #пускаем всех доменных пользователей
              require valid-user
          #и создаем путь к другому репозиторию с разграничением прав
              DAV svn
              AuthName "SVN Secure"
              SVNPath c:/repositories/Secure
              #Даем права на запись группе SVN_Secure_write
              Require ldap-group CN=SVN_Secure_write,OU=my,DC=domain,DC=com
              #и ограничиваем пользователей на чтение группе SVN_Secure_read
                  Require ldap-group CN=SVN_Secure_read,OU=my,DC=domain,DC=com

    That's all.
    access to repositories is now: my.domain.com/test and my.domain.com/secure

    for MS Active Directory It is IMPORTANT to remember that the AD after the timeout sends TCP RST instead of TCP FIN to the client.
    There is a bypass www.apachelounge.com/forum/viewtopic.php?t=1995 , or download www.anneb.dds.nl/httpd-2.2.6_ldappatch_win32_vc6.zip
    and put the contents in C: \ Apache \ Modules1

    you can store repositories remotely.
    to indicate them, the SVNPath directive should look like this (for MS Windows) // server / repos / repo (or the old \\\\ server \\ repos \\ repo)

    Articles used:
    www.orcaware.com/svn/wiki / Subversion_configured_for_Windows_Active_Directory_HTTPS

    I will be glad to constructive criticism. :)

    Also popular now: