LDAP authorization in SVN using Apache
Hi, comrades
, I will post my version of LDAP authorization settings using Apache.
It is more detailed than already described .
What is needed:
Necessary actions:
That's all.
access to repositories is now: my.domain.com/test and my.domain.com/secure
for MS Active Directory It is IMPORTANT to remember that the AD after the timeout sends TCP RST instead of TCP FIN to the client.
There is a bypass www.apachelounge.com/forum/viewtopic.php?t=1995 , or download www.anneb.dds.nl/httpd-2.2.6_ldappatch_win32_vc6.zip
and put the contents in C: \ Apache \ Modules1
you can store repositories remotely.
to indicate them, the SVNPath directive should look like this (for MS Windows) // server / repos / repo (or the old \\\\ server \\ repos \\ repo)
Articles used:
www.orcaware.com/svn/wiki / Subversion_configured_for_Windows_Active_Directory_HTTPS
www.opennet.ru/base/net/subversion_ldap.txt.html
I will be glad to constructive criticism. :)
, I will post my version of LDAP authorization settings using Apache.
It is more detailed than already described .
What is needed:
- Apache 2.2 + open SSL. can be downloaded from apache.org .
- SVN compatible with Apache 2.2. Download here - svn.tigris.org .
- Openssl-0.9.7e-Win32.zip. can be downloaded from here - support.etouch.net/cm/wiki/support.Downloads.wiki/1021721main_Openssl-0.9.7e-Win32.zip
- The standard openssl.cnf config is support.etouch.net/cm/wiki/support.Downloads.wiki/1021722main_openssl.cnf
Necessary actions:
- Install Apache in C: \ Apache.
- Install SVN in C: \ SVN.
- Install openssl in C: \ openssl.
- move openssl.cnf to c: \ openssl
- We create (or copy) a repository.
svnadmin create c:/repositories/test
svnadmin create c:/repositories/secure - create ssl certificates:
where svn.example.com is your domain name
openssl req -config openssl.cnf -new -out svn.example.com.csr
openssl rsa -in privkey.pem -out svn.example.com.key
openssl x509 -in svn.example.com.csr -out svn.example.com.cert -req -signkey svn.example.com.key -days 1000 - copy all .dll and .so from C: \ SVN \ bin to c: \ Apache \ modules
- copy .cert and .key files from C: \ openssl to C: \ Apache \ conf
- edit C: \ Apache \ conf \ httpd.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Listen 443
Include conf/extra/httpd-vhosts.conf - edit C: \ Apache \ conf \ extra \ httpd-vhosts.conf
SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL #указываем имена на файлы сертификатов SSLCertificateFile conf/svn.example.com.cert SSLCertificateKeyFile conf/svn.example.com.key SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 #делаем редирект с корневого пути RedirectMatch ^(/)$ http://google.com #указываем общие настройки для всех репозиториев Order allow,deny Allow from all AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthName "SVN main repo" #Указываем путь к LDAP серверу. Важно помнить, что без SSL используется ldap:// и порт 3268 #Так же возможен вариант с портами 389 и 390 для SSL AuthLDAPURL "ldaps://myDC.domain.com:3269/DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" #указываем DN путь к пользователю, который будет биндится к LDAP серверу. AuthLDAPBindDN "CN=Apache_bind,OU=users,OU=my,DC=domain,DC=com" #Пароль в ОТКРЫТОМ виде AuthLDAPBindPassword qweqwe AuthLDAPGroupAttributeIsDN on AuthLDAPGroupAttribute member SSLRequireSSL #запрет на анонимов SVNPathAuthz on AuthzSVNAnonymous off #указываем путь к нашему созданному тестовому репозиториюDAV svn AuthName "SVN Test" SVNPath С:/repositories/test SVNListparentPath off #пускаем всех доменных пользователей require valid-user #и создаем путь к другому репозиторию с разграничением правDAV svn AuthName "SVN Secure" SVNPath c:/repositories/Secure #Даем права на запись группе SVN_Secure_write Require ldap-group CN=SVN_Secure_write,OU=my,DC=domain,DC=com #и ограничиваем пользователей на чтение группе SVN_Secure_read Require ldap-group CN=SVN_Secure_read,OU=my,DC=domain,DC=com
That's all.
access to repositories is now: my.domain.com/test and my.domain.com/secure
for MS Active Directory It is IMPORTANT to remember that the AD after the timeout sends TCP RST instead of TCP FIN to the client.
There is a bypass www.apachelounge.com/forum/viewtopic.php?t=1995 , or download www.anneb.dds.nl/httpd-2.2.6_ldappatch_win32_vc6.zip
and put the contents in C: \ Apache \ Modules1
you can store repositories remotely.
to indicate them, the SVNPath directive should look like this (for MS Windows) // server / repos / repo (or the old \\\\ server \\ repos \\ repo)
Articles used:
www.orcaware.com/svn/wiki / Subversion_configured_for_Windows_Active_Directory_HTTPS
www.opennet.ru/base/net/subversion_ldap.txt.html
I will be glad to constructive criticism. :)