Linux Apache + Subversion + Active Directory Authentication

I found Subversion (svn) over HTTP to be very easy to deploy on top of our existing setup, and only took about 15 minutes.  It simplifies user management by allowing us to manage users through Active Directory, and makes it easier on staff by using URLs for access.  Here is a quick demonstration on a Fedora 9 box, assuming you have already performed a basic or default apache install.

Requirements:

Install the necessary svn packages:

# yum install subversion mod_dav_svn

Configure AD:

Create a user to bind to, this user needs no special permissions.  I used svnuser in this demonstration.

Create a security group, users will need to be a member of this group in order to access our repositories.  I used SVN_Access in this demonstration.

Create Repositories:

Create the following directories in your http root if you have not done so (/var/www on most systems):

# mkdir /var/www/svn
# mkdir /var/www/svn/repos

This will be the location for all of our repositories.  Now to create a repository (test in this example):

# svnadmin create /var/www/svn/repos/test

Grant apache access to the repository:

# chown -R apache.apache /var/www/svn/repos/test

Configure Apache:

Create an httpd/apache include file for our subversion configuration, this may have already been created for you.  Depending on your distro, you may need to integrate this directly in to your httpd.conf:

# touch /etc/httpd/conf.d/subversion.conf

Example subversion.conf:

LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so
 
#
# Example configuration to enable HTTP access for a directory
# containing Subversion repositories, "/var/www/svn".  Each repository
# must be readable and writable by the 'apache' user.  Note that if
# SELinux is enabled, the repositories must be labelled with a context
# which httpd can write to; this will happen by default for
# directories created in /var/www.  Use "restorecon -R /var/www/svn"
# to label the repositories if upgrading from a previous release.
#
 
   DAV svn
   SVNParentPath /var/www/svn/repos
   SVNListParentPath on
 
      order allow,deny
      allow from all
      Options Indexes
      AuthzLDAPAuthoritative On
 
      AuthName "My Repository"
      AuthType Basic
      AuthBasicProvider ldap
 
      AuthLDAPBindDN svnuser@domain.com
      AuthLDAPBindPassword Test123
 
      AuthLDAPURL "ldap://dc.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(objectCategory=person)"
      Require ldap-group CN=SVN_Access,OU=Groups,DC=domain,DC=com
 
      REQUIRE valid-user

You should now be able to access your test repository at http://website/repos/test :)

Leave a Reply

Your email address will not be published. Required fields are marked *