Subversion with Active Directory Authentication via Apache

Laura–skip this one.

I recently started using Subversion at work. It has been popular enough, that several other employees have found a need for it. So, I decided I’d better figure out Active Directory authentication so I don’t end up maintaining a separate set of passwords for everyone.  It took quite a bit of trial-and-error. Here’s my Apache config for the subversion site:

<VirtualHost *:80>
ServerName svn.domain.com
DocumentRoot /var/svn/www
<Location /repos/>
DAV svn
SVNParentPath /var/svn/repos
SVNListParentPath on
AuthzSVNAccessFile /var/svn/svnaccess
AuthType Basic
AuthName "SVN Server"
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPBindDN "DOMAIN\administrator"
AuthLDAPBindPassword password_for_administrator
AuthLDAPURL ldap://domain_controller:389/dc=ad,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)
Require valid-user
</Location>
</VirtualHost>

No, it is not a good idea to use your domain administrator in the config above. Do it for testing. Then, replace it with an account with read-only access in your domain.

Many of the examples on the web were geared towards non-Active Directory implementations. Those that were specific for AD still didn’t work until I removed the “cn=Users” from the first part of the ldapurl. Our users are not all part of the “Users” group. Removing this from the string means that all AD accounts can login. So, then I turned to the AuthzSVNAccessFile to fine-tune the access to the various repositories. Here is an example of that file:

[groups]
it=username1,username2
engineers=username3,username4

[:/]
*=r

[/]
*=r

[intranet:/]
@it = rw

[helpdesk:/]
@it = rw

[product_development:/]
@it = r
@engineers=rw

Have fun.

Advertisements

5 Responses

  1. Thanks, I will.

  2. You can use filter the valid users in your apache config and limit them to being members of specific group(s) in Active Directory using the require ldap-group syntax.

    I’ve got a security group in my AD structure at Domain.local\Office\SecurityGroups\SG-Subversion and the syntax is

    require ldap-group CN=SG-Subversion,OU=SecurityGroups,OU=Office,DC=Domain,DC=local

    What I am trying to do now is work out how to get the AuthzSVNAccessFile to allow me to filter the different repositories and permissions within the repositories.

    • hi Jacob,
      I know it was a long time ago that you wrote the post on subversion / AD authentication….but did you ever get it working so you authenticate different users for different repositories?? I’ve been trying to find the answer for ages. We have some users who are really sensitive about their data here, so they want to know only their AD OU can see their repository! Did you know how this can be done….?? fingers crossed! cheers, Charlie.

  3. hello,

    I’m facing that same problem…

    Actually, when i try to use both :

    require ldap-group XXX
    and
    AuthzSVNAccessFile XXX

    ldap-group is ignored (even if AuthzLDAPAuthoritative is on)

    Maybe i have done wrong, but this ldap filter is not working…

    if only ldap-group is active filtering on ldap group is done correctly…

    Any clue ?

    Cheers,
    André

  4. While LDAP is a good general solution to integrating various authentication systems, I have found it extremely hard to get working. I also got a big fat “no” from my system administrator when I said setting up ActiveDirectory auth on our Subversion would require that the domain admin’s password be in plain-text in the configuration file.

    There is an alternative (IMHO easier) solution so long as you use Windows for the server. The mod_auth_sspi Apache SSPI authentication module allows you to support ActiveDirectory authentication by using the underlying system to transparently authenticate. I found the resulting mod_auth_sspi configuration easy to understand and modify to suit my needs. I put together a how-to called Instant Windows SVN Server with SSL and ActiveDirectory on my blog which shows every step needed from a fresh Windows Server installation to a fully functional and relatively secure Subversion server that supports single sign-on with ActiveDirectory.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: