Rocket Surgery

Requirements:

1. Secure a Subversion 1.4.6 installation running on a Windows 2003 server
2. Authentication must be against existing Active Directory accounts
3. The Active Directory server does not allow anonymous binding
4. Users in group foo should be able to get to the source code
5. Users not in group foo should get no access at all
6. Nobody should be able to see anyone else’s password.

Solution:

I finally got it working by using the suggested method of using Apache HTTPD server as a front-end to Subversion, and rather than applying security to Subversion, securing Apache to access Active Directory as an LDAP server.

Steps:

1. Make sure your Apache Server version matches the Subversion you are using. Subversion includes Apache modules and .dll’s that you add to your Apache installation. There are two flavors: Apache 2.0, and Apache 2.2, which are not compatible (of course). So, when you download Subversion, make sure you note which version of Apache it was built for so you can get the same version of Apache.
2. Install Subversion.
3. Make your repository/repositories.
4. Install Apache on the same machine.
5. Copy files from Subversion into Apache:
   1. <subversion_home>/modules/*.so into <apache_home>/modules
   2. <subversion_home>/bin/intl3_svn.dll into <apache_home>/bin
   3. <subversion_home>/bin/libdb44.dll into <apache_home>/bin
6. Edit the httpd.conf file in <apache_home>/conf
   1. Make sure the following module lines are enabled (remove the # sign if it’s there):
      1. LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
      2. LoadModule dav_module modules/mod_dav.so
      3. LoadModule dav_fs_module modules/mod_dav_fs.so
      4. LoadModule dav_lock_module modules/mod_dav_lock.so
      5. LoadModule ldap_module modules/mod_ldap.so
   2. Add the following two lines with the other LoadModule lines:
      1. LoadModule dav_svn_module modules/mod_dav_svn.so
      2. LoadModule authz_svn_module modules/mod_authz_svn.so

Ok, that’s the easy part - installing the two packages and enabling the code that lets you configure things so they can work with each other.

Now the hard part: the configuration itself. To do this, you need some basic information:

1. The hostname for your Active Directory server. You might have luck finding this by doing an ipconfig /all and looking at the entry that reads “Primary Dns Suffix” under “Windows IP Configuration”.
2. The port on which your Active Directory listens. The default is 389, but you may find that you need to try port 3268 to access the Global Catalog.
3. The base DN for the ID’s of the users who will be using Subversion. In my case, this was OU=People,DC=company,DC=com
4. The DN and password of an account that can be used for binding and looking up users and groups. This is only needed if your AD server does not allow anonymous binding.
5. The DN of the group your are restricting access to. If you are not restricting access to a group but just to anyone who can log in, you can skip this. In my case, it looks like CN=mygroup,OU=Security,OU=Groups,DC=company,DC=com

Once you have this information, you can configure your Apache. Open httpd.conf in <apache_home>/conf and add a block like this at the bottom of your file:

<Location /svn-java>
	DAV svn
	SVNPath d:/svn-repos/java

	AuthName "Subversion - Java"
	AuthBasicProvider ldap
	AuthType Basic
	AuthzLDAPAuthoritative on
	AuthLDAPRemoteUserIsDN Off
	AuthLDAPURL "ldap://ldaphost:389/peoplebasedn?sAMAccountName?sub?(objectClass=*)" NONE
	AuthLDAPBindDN "bindingdn"
	AuthLDAPBindPassword bindingpassword
	AuthLDAPGroupAttributeIsDN on
	require ldap-group groupdn

</Location>

Some explanatory notes:

• The attribute in <Location > at the top of the section is the URL you are securing and through which you are exposing the repository. In my case, I named it svn-java so the URL for the repository would be http://myserver/svn-java.
• The DAV svn line hooks Apache to Subversion, and the SVNPath line tells Apache where on the local file system the subversion repository is (in my case, d:/svn-repos/java).
• AuthName can be followed by any description of the repository you like. This message is displayed in your browser’s authentication popup:
  
• In the AuthLDAPURL line, the stuff after peoplebasedn is poof-magic that makes LDAP look in the right places in Active Directory for the user’s id
• AuthLDAPBindDn and AuthLDAPBindPassword should be omitted if your server will allow anonymous binding.
• If you aren’t requiring that people be in a group to access SVN, replace the require ldap-group … line with the line require valid-user

And now the obligatory whining and complaining:

This should be so much simpler. Why in the world doesn’t Subversion have built into it the ability to hook into LDAP directly, for cryin’ out loud?! I know, I know, it’s open source, “why don’t I get off my lazy butt and add it?” But seriously, it should not be this involved.

Good luck!

This entry was posted on Friday, June 6th, 2008 at 2:46 pm and is filed under Software development, Web tools.You can follow any responses to this entry through the RSS 2.0 feed.You can leave a response, or trackback from your own site.