Pular para o conteúdo principal

Configuring Subversion with Active Directory Authentication

Subversion with AD Auth is the holy-grail for main Microsoft-based organizations.  However, the setup can be a bit tricky and there aren’t a lot of good walk-throughs out there.  This post guides you through the process of installing Subversion and configuring AD authentication on a Windows 2003 server.
This post is NOT specific to Sublime – it applies to any Subversion installation using Apache.

Getting Ready

Before we start, you’ll need to make sure you have all required software installed.  You will need Subversion 1.5 or greater and Apache installed.  I recommend downloading the Collabnet Subversion Client and Server package for windows.  Not only does it include all prerequisites for this walk-through, but the installer sets up Apache to run as a windows service for you.

Configuring Apache

Once you have Subversion and Apahce installed, you’ll need to configure Apache to work with Subversion.  However, the first step is to ensure Apache will start on its own with no configuration changes.
  1. Open your Services management console
  2. Locate the Apache service (Apache2.2 for example)
  3. Start the service.  If there is a problem, you will get a warning or error message.
One common error on a new installation is when Apache conflicts with IIS.  If you see an error message about no listening sockets available, that probably means that IIS is already running a website on the default port 80.  You can either change Apache to run on a different port (by editing the httpd.conf file), or stop the default website in IIS.
Once you have Apache running on its own, it’s time to configure Subversion.
  1. Open the httpd.conf file (mine is located at C:\Program Files\CollabNet Subversion Server\httpd\conf\httpd.conf).
  2. Locate the Dynamic Shared Object (DSO) Support section.  This should have a bunch of lines that begin with “LoadModule …”
  3. At the bottom of the existing LoadModule lines, add the following three lines:LoadModule ldap_module   modules/mod_ldap.so
    LoadModule authnz_ldap_module   modules/mod_authnz_ldap.so
    LoadModule authz_svn_module   modules/mod_authz_svn.so
  4. Next locate the tag for the path where your repositories will be accessible from.  By default with the Collabnet install this will be /svn.  In that case you would look for .  If you configured a different path, just substitute /svn for the path you configured.  It should look something like this:
    DAV svn
    SVNParentPath C:/svn_repository
    The SVNParentPath should be the full path to the directory where you will store your repositories.  In this case, all repositories will be located at C:\svn_repository\.
  5. Add the following settings to this Location tag:SVNListParentPath On
    Set this to On if you are hosting multiple repositories and want Apache to display a list of repositories.
    AuthzSVNAccessFile C:/svn_repository/access.txt
    This is the full path to the file which will control access (we’ll create that next)
    AuthzLDAPAuthoritative off
    If on, this prevents another auth provider from handling authentication if ldap authentication fails.
    AuthType Basic
    Specifies basic auth.  You can change this to Digest or a different auth type if you like.
    AuthBasicProvider ldap
    Specifies that the LDAP provider will be used for authentication.
    AuthName "your.domain"
    This specifies the realm for authentication.  For simplicity, just set this to the fully qualified name of your domain.
    AuthLDAPBindDN "CN=SomeAccount,CN=Users,DC=your,DC=domain"
    This needs to be the fully qualified account name of an account that has read access to your domain.
    AuthLDAPBindPassword "password"
    This should be the password for the account specified in AuthLDAPBindDN.
    AuthLDAPURL "ldap://your.domain/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"
    This will be used to locate users in your domain.  Everything to the left of the first question mark should be the ldap path where your users are located.  To the right of the first question mark is the user property that will be used as the username.  Typically you will use “sAMAccountName”, but if you wanted to have users use their email address as their username, you could use “mail” instead.  Leave the rest of the path unchanged.
    Require valid-user
    Specifies that a valid user account is required.
  6. Once you are done, the entire section should look like this:
    DAV svn
    SVNParentPath C:/svn_repository
    SVNListParentPath On
    AuthzSVNAccessFile C:/svn_repository/access.txt
    AuthzLDAPAuthoritative off
    AuthType Basic
    AuthBasicProvider ldap
    AuthName "your.domain"
    AuthLDAPBindDN "CN=account,CN=Users,DC=your,DC=domain"
    AuthLDAPBindPassword "password"
    AuthLDAPURL "ldap://your.domain/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"
    Require valid-user
  7. Next, restart the Apache service in your Services management console.  If you get an error, check the event log and double check the settings above.  If you don’t receive any errors, move on to the next section.

Setting up Access

The final step is to set up access for your repositories. Create a new file called “access.txt” where your repositories are located. This file should be at the same path you specified for the AuthzSVNAccessFile setting in the httpd.conf file. It doesn’t have to be where your repositories are located, it can be anywhere.
For each repository, create an entry like the following:
user1 = rw
user2 = rw
user3 = r
I won’t go into the format of this file because you can find extensive documentation in the Subversion Book. However, the important thing to understand is that the username you use will be based on property specified in the AuthLDAPURL setting in your httpd.conf. For example, if you specified sAMAccountName, you will enter the account name (without the domain portion). If you specified mail, you would enter the email address.
Save the access.txt file.
That’s it. You can now try checking out a repository by running the following command:
svn co http://localhost/svn/myrepo