Subversion with Apache and ActiveDirectory Authentication

Ubuntu has pretty good HOWTOs for quite a few things. Here’s one for Subversion. The following is my common setup on an Ubuntu 8.04 installation with Apache and ActiveDirectory used […]

Ubuntu has pretty good HOWTOs for quite a few things. Here’s one for Subversion.

The following is my common setup on an Ubuntu 8.04 installation with Apache and ActiveDirectory used for authentication.

To start, install the subversion package

user@computer:$ sudo apt-get install subversion apache2 libapache2-svn

Add a new group called ‘subversion’, then add the ‘www-data’ user to the group.

user@computer:$ sudo groupadd subversion
user@computer:$ sudo adduser www-data subversion

Make a new subversion directory

user@computer:$ sudo mkdir /var/svn

Create a shell script to automate the tasks of creating new SVN repositories. You can add other setup tasks here too, such as post-commit hooks, etc. Save this file as ~/create-svn-repo.sh:

#! /bin/sh
 
if [ $# -lt 1 ]; then
	echo You must supply the name of a svn repository to add.
	exit 0
fi
 
echo Creating SVN Repository:
sudo svnadmin create /var/svn/$1
sudo chown -R www-data:subversion /var/svn/$1
sudo chmod -R g+rws /var/svn/$1
echo SVN Repository Creation Completed

Grant permission to execute the script:

user@computer:$ chmod u+x ~/create-svn-repo.sh

Now you can create as many SVN repositories as you desire with the following command, replacing myproject with your own:

user@computer:$ ~/create-svn-repository.sh <myproject>

Create a new file as root for Apache at /etc/apache2/sites-available/svn:

<Location /svn>
  DAV svn
  SVNParentPath /var/svn
  AuthType Basic
  AuthName "My SVN Repository"
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative on
 
  AuthLDAPBindDN "CN=SVN,OU=Service Accounts,DC=mydomain,DC=com"
  AuthLDAPBindPassword ReplaceWithSVNPassword
  AuthLDAPURL "ldap://NameOfActiveDirectoryServer:389/DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=person)" NONE
 
  Require valid-user
  Require ldap-group CN=Subversion,OU=Groups,DC=mydomain,DC=com
  SVNListParentPath On
</Location>

You will need to create a service account for Subversion(Apache) to use to log into ActiveDirectory. You should also create a Group to put AD Subversion users into. Since the Apache site file contains the password of the service account, you should limit the permissions of this file and then enable the site and authentication module and reload Apache:

user@computer:$ sudo chmod 640 /etc/apache2/sites-available/svn
user@computer:$ sudo a2ensite svn
user@computer:$ sudo a2enmod authnz_ldap
user@computer:$ sudo /etc/init.d/apache2 force-reload

At this point, you should be able to use a web browser to visit http://mymachine/svn/ which will require you to authenticate. Once authenticated, you should be able to view your Subversion repositories.

We could have Apache connect using ldaps over a secure connection, but that requires certain requirements such as certificates in order to connect to the AD server and is beyond the scope of this blog. There’s a possibility I may include a future blog entry on that if there was enough demand for it. I also plan on having a future post on running a dynamic backup of your svn repositories to a cifs share.

UPDATE: if you have problems connecting to your LDAP server at the top level (DC, instead of a OU, for example) and receiving the following error: [ldap_search_ext_s() for user failed][Operations error], modify the ldap.conf file and add “REFERRALS off”. ActiveDirectory has some top level links that apparently cannot be processed correctly. Alternately, set up an OU to hold all of your users.

Share

About ipaul

My name is Paul Hassinger, the founder of ipaul.com. I have been an avid user of computers since a child. I started when I was about 10 years old working on an Atari computer. Since then, I grew and have had exposure to all types of technologies. I started using FIDONet on a BBS as a child and grew to the Internet. My first graphical world wide web experience was in 1993 using Mosaic. Over time I've worked with both small and large computing systems even maintaining systems serving millions of users on some of the largest social networking sites. I hope to use this blog to capture what I've learned over the years and what I do in my daily life so that others and myself may find the information useful.