LDAP authorization in SVN using Apache
Hello comrades
I'll post my version of configuring LDAP authorization using Apache.
It is more detailed than what has already been described .
What you need:
Necessary actions:
That's all.
Access to repositories is now my.domain.com/test and my.domain.com/secure
for MS Active Directory it is IMPORTANT to remember that HELL after timeout sends TCP RST instead of TCP FIN to the client.
There is a round of www.apachelounge.com/forum/viewtopic.php?t=1995 , or download www.anneb.dds.nl/httpd-2.2.6_ldappatch_win32_vc6.zip
and the contents put in C: \ Apache \ Modules1
You can store repositories remotely.
in order to specify them in the SVNPath directive there should be such a view (for MS Windows) // server / repos / repo (or according to the old \\\ server \\ repos \\ repo)
Articles used:
www.orcaware.com/svn/wiki/Subversion_configured_for_Windows_Active_Directory_HTTPS
www.opennet.ru/base/net/subversion_ldap.txt.html
I will be glad to constructive criticism. :)
I'll post my version of configuring LDAP authorization using Apache.
It is more detailed than what has already been described .
What you need:
- Apache 2.2 + open SSL. can be downloaded from apache.org .
- SVN compatible with Apache 2.2. Download here - svn.tigris.org .
- Openssl-0.9.7e-Win32.zip. you can download from here - support.etouch.net/cm/wiki/support.Downloads.wiki/1021721main_Openssl-0.9.7e-Win32.zip
- The standard openssl.cnf config - support.etouch.net/cm/wiki/support.Downloads.wiki/1021722main_openssl.cnf
Necessary actions:
- Install Apache in C: \ Apache.
- Install SVN in C: \ SVN.
- Install openssl in C: \ openssl.
- move openssl.cnf to c: \ openssl
- Create (or copy) repository.
svnadmin create c:/repositories/test
svnadmin create c:/repositories/secure - create ssl certificates:
openssl req -config openssl.cnf -new -out svn.example.com.csr
openssl rsa -in privkey.pem -out svn.example.com.key
openssl x509 -in svn.example.com.csr -out svn.example.com.cert -req -signkey svn.example.com.key -days 1000
where svn.example.com is your domain name - copy all .dll and .so from C: \ SVN \ bin to c: \ Apache \ modules
- Copy the .cert and .key files from C: \ openssl to C: \ Apache \ conf
- edit C: \ Apache \ conf \ httpd.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Listen 443
Include conf/extra/httpd-vhosts.conf - edit C: \ Apache \ conf \ extra \ httpd-vhosts.conf
<VirtualHost _default_: 443> SSLEngine on SSLCipherSuite ALL:! ADH:! EXPORT56: RC4 + RSA: + HIGH: + MEDIUM: + LOW: + SSLv2: + EXP: + eNULL # specify names on certificate files SSLCertificateFile conf / svn.example.com.cert SSLCertificateKeyFile conf / svn.example.com.key SetEnvIf User-Agent ". * MSIE. *" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # redirect from the root path RedirectMatch ^ (/) $ http://google.com # specify general settings for all repositories <LocationMatch ^ /. *> Order allow, deny Allow from all AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthor gratification AuthName "SVN main repo" # Specify the path to the LDAP server. It is important to remember that non-SSL uses ldap: // and port 3268 # Also available with ports 389 and 390 for SSL AuthLDAPURL "ldaps: //myDC.domain.com: 3269 / DC = domain, DC = com? SAMAccountName? Sub? (ObjectClass = *)" # specify DN the path to the user who will be bound to the LDAP server. AuthLDAPBindDN "CN = Apache_bind, OU = users, OU = my, DC = domain, DC = com" # Password in OPEN view AuthLDAPBindPassword qweqwe AuthLDAPGroupAttributeIsDN on AuthLDAPGroupAttribute member SSLRequireSSL # ban on anonymous SVNPathAuthz on AuthzSVNAnonymous off </ LocationMatch> # specify the path to our created test repository <Location / test> DAV svn AuthName "SVN Test" SVNPath From: / repositories / test SVNListparentPath off # let all domain users require valid-user </ Location> # and create a path to another repository with rights delineation <Location / secure> DAV svn AuthName "SVN Secure" SVNPath c: / repositories / Secure # We grant write permissions to the group SVN_Secure_write Require ldap-group CN = SVN_Secure_write, OU = my, DC = domain, DC = com # and restrict users to read the group SVN_Secure_read <Limit GET PROPFIND OPTIONS REPORT> Require ldap-group CN = SVN_Secure_read, OU = my, DC = domain, DC = com </ Limit> </ Location> </ Virtualhost>
')
That's all.
Access to repositories is now my.domain.com/test and my.domain.com/secure
for MS Active Directory it is IMPORTANT to remember that HELL after timeout sends TCP RST instead of TCP FIN to the client.
There is a round of www.apachelounge.com/forum/viewtopic.php?t=1995 , or download www.anneb.dds.nl/httpd-2.2.6_ldappatch_win32_vc6.zip
and the contents put in C: \ Apache \ Modules1
You can store repositories remotely.
in order to specify them in the SVNPath directive there should be such a view (for MS Windows) // server / repos / repo (or according to the old \\\ server \\ repos \\ repo)
Articles used:
www.orcaware.com/svn/wiki/Subversion_configured_for_Windows_Active_Directory_HTTPS
www.opennet.ru/base/net/subversion_ldap.txt.html
I will be glad to constructive criticism. :)
Source: https://habr.com/ru/post/73403/
All Articles