SVN Authentication and Authorization

(1)

Admin Guide

SVN Authentication and Authorization

Authentication and Authorization of SVN Users

via Active Directory and OpenLDAP

G´erard Bieli, Christian Haller

(2)

Figure0.1shows the whole solution detailed in one picture. A user types in his or her credentials into the SVN client login fields (1). The SVN client then sends this credentials via HTTP basic auth to the Apache server (2). After receiving the login data, the LDAP module tries to authenticate the user against the LDAP servers (with the help of the alias module) (3). After the successful authentication, the module mod authz svn db queries the MySQL database to check whether the user has access rights on the desired repository or not (4). If the user has the necessary rights, the dav svn module delivers the SVN data to the client (5 and 6).

Active Directory EDU OpenLDAP Apache LDAP Modul SVN Client HTTP Basic Auth credentials DAV SVN Modul Authorization DB Authz SVN DB Modul SVN Repositories 1 2 3 authenticate user 4 authorise user 5 retrieve data from repo 6 deliver data Active Directory ADM Alias Modul 3 3 3

Figure 0.1: Schematic of the whole solution

(4)

1 Prerequisites

To successfully implement the solution described in this document, it is assumed that the reader has basic knowledge of linux systems administration. This includes:

• Installation of packages via apt. • Being familiar with the bash shell.

In order to successfully implement the configuration specified in this document, there are some system requirements to cover.

It is assumed that the apache web server runs a Debian 5 32bit Linux with Kernel 2.6.26-1-686 or later. The module compilation has not been tested on 64bit systems or Windows. Due to the fact that the Apache module framework should be platform independent, it might also work on these systems. In order to successfully implement a LDAP authentication system, a working OpenLDAP, Active Directory server or another LDAP server is needed. It is also possible to query multiple non redundant LDAP servers in a specified order. If a secure SSL/TLS connection is desired, a valid SSL certificate must be available on the LDAP server(s).

All the steps and configurations in this document are intended to be executed on the server on which the Apache web server is installed.

The following debian packages need to be installed in order to successfully compile the mod authz svn db module:

Package Notes

apache2 v2.2.9 apache server meta package libapache2-svn v1.5.1 apache svn module

apache2-threaded-dev v2.2.9 apache headers and build tools libsvn-dev v1.5.1 svn headers

libmysqlclient15-dev v5.0.51a mysql development libraries and headers libmysqlclient15off v5.0.51a mysql client library

To create and manage the SVN repository, the following package should be installed:

Package Notes

subversion v1.5.1 svn client, svn administration tool and svn server

To have a MySQL database server available on the same server, the following packages should be installed:

Package Notes

mysql-server v5.0.51a mysql server meta package

phpmyadmin v4:2.11.8.1 php administration platform to manage the database (URL: http://localhost/phpmyadmin)

(5)

2 Compilation and installation of the Apache

Module

If all the packages in chapter 1 have been installed, the compilation and installation of the module mod authz svn db should work without any difficulties by simply executing the build script from the module’s ZIP file.

In order to build the module, follow these instructions:

1. Unzip the mod authz svn db.zip file to /tmp/mod authz svn db. 2. Change to the directory /tmp/mod authz svn db.

3. Execute the build.sh script with root priviledges.

The build.sh script builds and installs the module mod authz svn db with the help of the Apache apxs2 tool into the Apache modules folder. If the build and installation process was successful, the directory /usr/lib/apache2/modules should contain the mod authz svn db mysql.so file.

Listing 2.1shows the content of the build file.

Listing 2.1: mod authz svn db build script #! / b i n / b a s h #s t o p t h e a p a c h e s e r v e r / e t c / i n i t . d/ apache2 s t o p #c h a n g e t o t h e m y s q l d i r e c t o r y cd mysql #c o m p i l e t h e module #n o t e : a p x s 2 i s t h e a p a c h e b u i l d h e l p e r w h i c h i s u s e d t o b u i l d modules . GCC d o e s n o t work ! ! ! ! !

apxs2 −c −I / u s r / i n c l u d e / s u b v e r s i o n −1 −I . . −L / u s r / l i b / − l m y s q l c l i e n t m o d a u t h z s v n d b m y s q l . c #i n s t a l l t h e module i n t o t h e a p a c h e modules d i r e c t o r y ( u s u a l l y / u s e r / l i b / a p a c h e 2 / modules ) apxs2 − i e −n a u t h z s v n d b m y s q l m o d u l e m o d a u t h z s v n d b m y s q l . l a #s t a r t t h e s e r v e r / e t c / i n i t . d/ apache2 s t a r t #c h a n g e t o t h e o r i g i n a l d i r e c t o r y cd . . 5

(6)

Chapter 2. Compilation and installation of the Apache Module

If the installation was successful, the output on the console should be similar to Listing 2.2. Listing 2.2: Output of the buildscript

S t o p p i n g web s e r v e r : apache2 .

/ u s r / s h a r e / apr −1.0/ b u i l d / l i b t o o l −− s i l e n t −−mode=c o m p i l e −−t a g=d i s a b l e − s t a t i c i 4 8 6 −l i n u x −gnu−g c c −p r e f e r −p i c −DLINUX=2 −D GNU SOURCE − D LARGEFILE64 SOURCE −D REENTRANT −I / u s r / i n c l u d e / apr −1.0 −I / u s r /

i n c l u d e / mysql −I / u s r / i n c l u d e / o p e n s s l −I / u s r / i n c l u d e / p o s t g r e s q l −I / u s r / i n c l u d e / xmltok −p t h r e a d −I / u s r / i n c l u d e / apache2 −I / u s r / i n c l u d e / apr −1.0 −I / u s r / i n c l u d e / apr −1.0 −I / u s r / i n c l u d e / p o s t g r e s q l −I / u s r / i n c l u d e / mysql −I / u s r / i n c l u d e / s u b v e r s i o n −1 −I . . −c −o mod authz svn db mysql . l o m o d a u t h z s v n d b m y s q l . c && t o u c h m o d a u t h z s v n d b m y s q l . s l o

/ u s r / s h a r e / apr −1.0/ b u i l d / l i b t o o l −− s i l e n t −−mode=l i n k −−t a g=d i s a b l e − s t a t i c i 4 8 6 −l i n u x −gnu−g c c −o m o d a u t h z s v n d b m y s q l . l a −L/ u s r / l i b / − l m y s q l c l i e n t −r p a t h / u s r / l i b / apache2 / modules −module −a v o i d −v e r s i o n

m o d a u t h z s v n d b m y s q l . l o

/ u s r / s h a r e / apache2 / b u i l d / i n s t d s o . sh SH LIBTOOL= ’/ u s r / s h a r e / apr −1.0/ b u i l d / l i b t o o l ’ m o d a u t h z s v n d b m y s q l . l a / u s r / l i b / apache2 / modules / u s r / s h a r e / apr −1.0/ b u i l d / l i b t o o l −−mode= i n s t a l l cp m o d a u t h z s v n d b m y s q l . l a / u s r / l i b / apache2 / modules / cp . l i b s / m o d a u t h z s v n d b m y s q l . s o / u s r / l i b / apache2 / modules / m o d a u t h z s v n d b m y s q l . s o cp . l i b s / m o d a u t h z s v n d b m y s q l . l a i / u s r / l i b / apache2 / modules / m o d a u t h z s v n d b m y s q l . l a

PATH=”$PATH: / s b i n ” l d c o n f i g −n / u s r / l i b / apache2 / modules

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− L i b r a r i e s have been i n s t a l l e d i n :

/ u s r / l i b / apache2 / modules

I f you e v e r happen t o want t o l i n k a g a i n s t i n s t a l l e d l i b r a r i e s i n a g i v e n d i r e c t o r y , LIBDIR , you must e i t h e r u s e l i b t o o l , and s p e c i f y t h e f u l l pathname o f t h e l i b r a r y , o r u s e t h e ‘−LLIBDIR ’ f l a g d u r i n g l i n k i n g and do a t l e a s t one o f t h e f o l l o w i n g :

− add LIBDIR t o t h e ‘LD LIBRARY PATH’ enviro nment v a r i a b l e d u r i n g e x e c u t i o n

− add LIBDIR t o t h e ‘LD RUN PATH’ enviro nment v a r i a b l e d u r i n g l i n k i n g

− u s e t h e ‘−Wl,−− r p a t h −Wl , LIBDIR ’ l i n k e r f l a g

− have your system a d m i n i s t r a t o r add LIBDIR t o ‘ / e t c / l d . s o . c o n f ’ S ee any o p e r a t i n g syste m d o c u m e n t a t i o n about s h a r e d l i b r a r i e s f o r more i n f o r m a t i o n , s u c h a s t h e l d ( 1 ) and l d . s o ( 8 ) manual p a g e s .

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− chmod 644 / u s r / l i b / apache2 / modules / m o d a u t h z s v n d b m y s q l . s o

S t a r t i n g web s e r v e r : apache2 .

(7)

3 Configuration

This chapter shows how to configure the Apache web server and the database in order to make the solution fully functional.

3.1 Creating the SVN repository or repositories

To create a new repository called example rep follow these instructions:

1. Change to the directory where the repository or repositories should be created (e.g. /data). 2. Create a SVN repository with svnadmin create example_rep.

3. Change the owner and the group of the created repository to www-data (chgrp -R and chown -R).

3.2 Creating the database

To create the database on the MySQL server follow these instructions:

1. Connect to the MySQL server either with phpmyadmin (URL: http://localhost/phpmyadmin) or the command line client.

2. Execute the contents of the create db.sql file contained in the mod authz svn db.zip.

3. Create a database user mod svn with only SELECT permissions. This user is used by the mod authz svn db module to query the database.

After the successful creation of the database, the MySQL server should have a database called svn perm with seven data tables. Listing 3.1shows the SQL commands for creating the database with its data tables.

Listing 3.1: Database creation

CREATE DATABASE ‘ svnperm ‘ DEFAULT CHARACTER SET u t f 8 COLLATE u t f 8 u n i c o d e c i ;

USE ‘ svnperm ‘ ;

CREATE TABLE ‘ a u t h z s v n r e p o s i t o r y ‘ (

‘ i d ‘ INT( 1 1 ) NOT NULL AUTO INCREMENT, ‘ name ‘ VARCHAR( 2 5 5 ) NOT NULL UNIQUE, PRIMARY KEY ( ‘ i d ‘ ) ,

INDEX r e p o n a m e i d x ( ‘ name ‘ ) ) ENGINE=InnoDB ;

(8)

Chapter 3. Configuration 3.2. Creating the database

CREATE TABLE ‘ a u t h z s v n u s e r ‘ (

INDEX u s e r n a m e i d x ( ‘ name ‘ ) ) ENGINE=InnoDB ;

CREATE TABLE ‘ a u t h z s v n r e p o p a t h ‘ (

‘ i d ‘ INT( 1 1 ) NOT NULL AUTO INCREMENT, ‘ r e p o s i t o r y i d ‘ INT( 1 1 ) NOT NULL, ‘ path ‘ VARCHAR( 2 5 5 ) NOT NULL, PRIMARY KEY ( ‘ i d ‘ ) ,

UNIQUE ( ‘ r e p o s i t o r y i d ‘ , ‘ path ‘ ) ,

FOREIGN KEY r e p o s i t o r y i d i d x f k ( ‘ r e p o s i t o r y i d ‘ ) REFERENCES ‘ a u t h z s v n r e p o s i t o r y ‘ ( ‘ i d ‘ ) ON DELETE CASCADE

) ENGINE=InnoDB ;

CREATE TABLE ‘ a u t h z s v n u s e r p e r m i s s i o n ‘ (

‘ u s e r i d ‘ INT( 1 1 ) NOT NULL,

‘ r e p o s i t o r y p a t h i d ‘ INT( 1 1 ) NOT NULL, ‘ read ‘ TINYINT ( 1 ) NOT NULL,

‘ write ‘ TINYINT ( 1 ) NOT NULL, ‘ recursive ‘ TINYINT ( 1 ) NOT NULL,

PRIMARY KEY ( ‘ u s e r i d ‘ , ‘ r e p o s i t o r y p a t h i d ‘ ) ,

FOREIGN KEY u s e r i d i d x f k ( ‘ u s e r i d ‘ ) REFERENCES ‘ a u t h z s v n u s e r ‘ ( ‘ i d ‘ ) ON DELETE CASCADE,

FOREIGN KEY r e p o p a t h i d i d x f k ( ‘ r e p o s i t o r y p a t h i d ‘ ) REFERENCES ‘ a u t h z s v n r e p o p a t h ‘ ( ‘ i d ‘ ) ON DELETE CASCADE

) ENGINE=InnoDB ;

CREATE TABLE ‘ a u t h z s v n g r o u p ‘ (

INDEX g r o u p n a m e i d x ( ‘ name ‘ ) ) ENGINE=InnoDB ;

CREATE TABLE ‘ a u t h z s v n g r o u p m e m b e r s h i p ‘ (

‘ i d ‘ INT( 1 1 ) NOT NULL AUTO INCREMENT, ‘ u s e r i d ‘ INT( 1 1 ) NOT NULL,

(9)

Chapter 3. Configuration 3.3. Loading the required Apache modules

‘ g r o u p i d ‘ INT( 1 1 ) NOT NULL, PRIMARY KEY ( ‘ i d ‘ ) ,

UNIQUE ( ‘ u s e r i d ‘ , ‘ g r o u p i d ‘ ) ,

FOREIGN KEY u s e r i d i d x f k ( ‘ u s e r i d ‘ ) REFERENCES ‘ a u t h z s v n u s e r ‘ ( ‘ i d ‘ ) ON DELETE CASCADE,

FOREIGN KEY g r o u p i d i d x f k ( ‘ g r o u p i d ‘ ) REFERENCES ‘ a u t h z s v n g r o u p ‘ ( ‘ i d ‘ ) ON DELETE CASCADE

) ENGINE=InnoDB ;

CREATE TABLE ‘ a u t h z s v n g r o u p p e r m i s s i o n ‘ (

‘ i d ‘ INT( 1 1 ) NOT NULL AUTO INCREMENT, ‘ g r o u p i d ‘ INT( 1 1 ) NOT NULL,

‘ r e p o s i t o r y p a t h i d ‘ INT( 1 1 ) NOT NULL, ‘ read ‘ TINYINT ( 1 ) NOT NULL,

‘ write ‘ TINYINT ( 1 ) NOT NULL, ‘ recursive ‘ TINYINT ( 1 ) NOT NULL, PRIMARY KEY ( ‘ i d ‘ ) ,

UNIQUE ( ‘ g r o u p i d ‘ , ‘ r e p o s i t o r y p a t h i d ‘ ) ,

FOREIGN KEY r e p o p a t h i d i d x f k ( ‘ r e p o s i t o r y p a t h i d ‘ ) REFERENCES ‘ a u t h z s v n r e p o p a t h ‘ ( ‘ i d ‘ ) ON DELETE CASCADE,

FOREIGN KEY g r o u p i d i d x f k ( ‘ g r o u p i d ‘ ) REFERENCES ‘ a u t h z s v n g r o u p ‘ ( ‘ i d ‘ ) ON DELETE CASCADE

) ENGINE=InnoDB ;

3.3 Loading the required Apache modules

There are certain modules which need to be loaded:

1. Make sure the dav svn module is activated (which should be the case after installing it via apt ). 2. Edit the file /etc/apache2/mods-enabled/dav svn.load and append the line

”LoadModule authz svn db mysql module /usr/lib/apache2/modules/mod authz svn db mysql.so” to load the mod authz svn db module. Listing3.2shows the new content of the file dav svn.load. 3. Enable the module mod authn alias by executing the command a2enmod authn_alias.

4. Enable the module mod authnz ldap by executing the command a2enmod authnz_ldap. Listing 3.2: Content of the new dav svn.load

# Depends : dav

LoadModule d a v s v n m o d u l e / u s r / l i b / apache2 / modules / mod dav svn . s o LoadModule a u t h z s v n m o d u l e / u s r / l i b / apache2 / modules / mod authz svn . s o LoadModule a u t h z s v n d b m y s q l m o d u l e / u s r / l i b / apache2 / modules /

m o d a u t h z s v n d b m y s q l . s o

(10)

Chapter 3. Configuration 3.4. Configuring the Apache web server

3.4 Configuring the Apache web server

3.4.1 Defining the LDAP aliases

In the dav svn.conf file the necessary alias definitions need to be created at the beginning of the file. Listing3.3shows the structure of an alias definition for an LDAP connection. Details to the configura-tion of Apache aliases can be found athttp://httpd.apache.org/docs/2.2/mod/mod authn alias.html. A complete example configuration is available in chapter3.4.4.

Listing 3.3: Alias definition <A u t h n P r o v i d e r A l i a s l d a p a l i a s 1 >

AuthLDAPBindDN . . .

AuthLDAPBindPassword . . . AuthLDAPURL . . .

</A u t h n P r o v i d e r A l i a s >

Table3.1shows the common LDAP ports which can be used within the command string of AuthLDAPURL.

Table 3.1: LDAP Ports

Port Explanation

389 Standard LDAP Port

636 LDAP port for secure SSL connections 3268 Global Catalog port used by Active Directory

3269 Secure Global Catalog port used by Active Directory

3.4.2 Configuring the Apache Location for the SVN repository

After creating the aliases, define a Location. A location is a part of the URL where the SVN repository should be accessible. Details about the definition of a Location are available at

http://httpd.apache.org/docs/2.2/en/mod/core.html#location.

Listing 3.4shows the structure of a Location definition. It contains three sections:

1. The SVN section contains the SVN commands or directives defined by the mod dav svn module. Details at

http://svnbook.red-bean.com/en/1.5/svn-book.html#svn.ref.mod dav svn. 2. Details on the authentication section can be found at

http://httpd.apache.org/docs/2.2/mod/mod auth basic.html.

3. This section contains the directives for the mod authz svn db module. All the available directives are explained in Listing3.5.

Listing 3.4: Location configuration <L o c a t i o n / e x a m p l e r e p o >

#s e c t i o n 1 : DAV svn

SVNPath . . .

(11)

Chapter 3. Configuration 3.4. Configuring the Apache web server #s e c t i o n 2 : A u t h B a s i c P r o v i d e r a l i a s 1 a l i a s 2 . . . AuthType B a s i c AuthName ” . . . ” r e q u i r e v a l i d −u s e r #s e c t i o n 3 : AuthzSVNDBHost . . . AuthzSVNDBPort . . . AuthzSVNDBName . . . AuthzSVNDBUsername . . . AuthzSVNDBPassword . . . </L o c a t i o n >

Listing 3.5contains part of the readme file to the mod authz svn db module1. It was included in this document because it is unknown for how long it will be available on the developers webpage.

Listing 3.5: mod authz svn db directives

I n o r d e r t o c o n f i g u r e mod authz svn db , Apache2 n e e d s t o be t o l d how t h e

d a t a b a s e i s c o n f i g u r e d . T h i s c o n f i g u r a t i o n i s r e a d o n l y on b o o t i f you p l a c e i t i n t h e v h o s t s c o n f i g u r a t i o n f i l e s ( i t i t s t r o n g l y recommended t h a t you do f o r p e r f o r m a n c e r e a s o n s ) . Although you can put i t i n t h e . h t a c c e s s f i l e s , t h i s p r a c t i c e i s s t r o n g l y d i s c o u r a g e d .

∗ AuthzSVNDBAuthoritative <On | Off> O p t i o n a l

D e f a u l t : On

D e s c r i p t i o n : I f e n a b l e d , mod authz svn db w i l l be t h e f i n a l j u d g e o f a c c e s s a u t h o r i z a t i o n . Although o t h e r a u t h o r i z a t i o n modules may run b e f o r e i t , i f mod authz svn db i s run , no o t h e r modules w i l l be c o n s u l t e d . I f s e t t o Off , i f t h e u s e r i s no t found by

mod authz svn db , a n o t h e r a u t h o r i z a t i o n module can t a k e o v e r f o r mod authz svn db .

Notes : T h i s i s r e a l l y o n l y u s e f u l i f you want

t o u s e mod auth svn db and some o t h e r module t o a u t h o r i z e u s e r s .

Warnings : None

∗ AuthzSVNDBHost <s t r i n g > R e q u i r e d

D e f a u l t : l o c a l h o s t

D e s c r i p t i o n : T h i s i s t h e h o s t where your d a t a b a s e can be c o n t a c t e d . IP a d d r e s s e s a r e recommended f o r speed , but you may a l s o u s e

hostnames s u c h a s www. wojno . com o r l o c a l h o s t

Notes : None Warnings : None ∗ AuthzSVNDBPort <u n s i g n e d i n t e g e r (1 −65535)> R e q u i r e d D e f a u l t : The d e f a u l t f o r t h e d a t a b a s e s o f t w a r e t o which one i s c o n n e c t i n g .

D e s c r i p t i o n : T h i s i s t h e p o r t on t h e AuthzSVNDBHost on which your d a t a b a s e i s l i s t e n i n g f o r new c o n n e c t i o n s .

1_{http://svn.wojno.com/mod authz svn db/trunk/README}

(12)

Chapter 3. Configuration 3.4. Configuring the Apache web server Notes : None Warnings : None ∗ AuthzSVNDBName <s t r i n g > R e q u i r e d D e f a u l t : N/A D e s c r i p t i o n : T h i s i s t h e name o f t h e d a t a b a s e t h a t c o n t a i n s t h e a u t h o r i z a t i o n t a b l e s a s d e s c r i b e d i n s e c t i o n V. Notes : None Warnings : None ∗ AuthzSVNDBUsername <s t r i n g > R e q u i r e d D e f a u l t : N/A D e s c r i p t i o n : T h i s i s t h e username u s e d t o c o n n e c t t o t h e d a t a b a s e AuthzSVNDBName a t AuthzSVNDBHost Notes : None Warnings : None ∗ AuthzSVNDBPassword <s t r i n g > O p t i o n a l i f AuthzSVNDBPasswordFile u s e d D e f a u l t : N/A

D e s c r i p t i o n : The password t o u s e when a c c e s s i n g t h e d a t a b a s e ( d a t a b a s e a u t h e n t i c a t i o n ) , o v e r r i d e s t h e s p e c i f i e d password f i l e . I t i s recommended t h a t a password f i l e be u s e d i n s t e a d o f t h i s d i r e c t i v e i f t h e c o n f i g u r a t i o n f i l e i s p u b l i c l y v i s i b l e . Notes : Se e AuthzSVNDBPasswordFile Warnings : I f t h e c o n f i g u r a t i o n f i l e i n which t h i s d i r e c t i v e i s u s e d i s v i s i b l e t o t h e p u b l i c , p e o p l e w i l l be a b l e t o s e e your d a t a b a s e password ! Use AuthzSVNDBPasswordFile i n s t e a d ! ∗ AuthzSVNDBUserTable <s t r i n g >

O p t i o n a l

D e f a u l t : a u t h z s v n u s e r

D e s c r i p t i o n : The name o f t h e t a b l e i n AuthzSVNDBName t h a t c o n t a i n s t h e l i s t o f u s e r s ( s e e s e c t i o n V) Notes : None Warnings : None ∗ AuthzSVNDBUserColumn <s t r i n g > O p t i o n a l D e f a u l t : name

D e s c r i p t i o n : The name o f t h e column i n AuthzSVNDBUserColumn t h a t c o n t a i n s t h e name o f t h e u s e r s Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBUserIDColumn <s t r i n g > O p t i o n a l D e f a u l t : i d

D e s c r i p t i o n : The name o f t h e column i n AuthzSVNDBUserColumn t h a t c o n t a i n s t h e numeric ID o f t h e u s e r s

Notes : I f your d a t a b a s e d o e s no t have ID ’ s f o r

e v e r y u s e r , t h e n your d a t a b a s e d e s i g n e r n e e d s t o be f i r e d . T h i s i s a r e q u i r e d p a r t o f t h e d a t a b a s e .

Notes : Se e S e c t i o n V

(13)

Warnings : None

∗ AuthzSVNDBRepositoryTable <s t r i n g > O p t i o n a l

D e f a u l t : a u t h z s v n r e p o s i t o r y

D e s c r i p t i o n : The name o f t h e t a b l e i n AuthzSVNDBName t h a t c o n t a i n s t h e l i s t o f r e p o s i t o r y names ( n o t p a t h s ) Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBRepositoryColumn <s t r i n g > O p t i o n a l D e f a u l t : name

D e s c r i p t i o n : The name o f t h e column i n AuthzSVNDBUserColumn t h a t c o n t a i n s t h e name o f t h e r e p o s i t o r i e s Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBRepositoryIDColumn <s t r i n g > O p t i o n a l D e f a u l t : i d

D e s c r i p t i o n : The name o f t h e column i n AuthzSVNDBUserColumn t h a t c o n t a i n s t h e numeric ID o f t h e r e p o s i t o r i e s Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBGroupMembershipTable <s t r i n g > O p t i o n a l D e f a u l t : a u t h z s v n g r o u p m e m b e r s h i p

D e s c r i p t i o n : The name o f t h e t a b l e i n AuthzSVNDBName t h a t c o n t a i n s t h e matching o f u s e r ID ’ s and group ID ’ s i n d i c a t i n g membership i n a group Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBGroupMembershipUserColumn <s t r i n g > O p t i o n a l D e f a u l t : u s e r i d

D e s c r i p t i o n : The name o f t h e u s e r column i n t h e group membership d a t a b a s e . T h i s i s where t h e u s e r i d i s s p e c i f i e d t o l i n k u s e r s t o g r o u p s . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBGroupMembershipGroupColumn <s t r i n g > O p t i o n a l D e f a u l t : g r o u p i d

D e s c r i p t i o n : The name o f t h e group column i n t h e group membership d a t a b a s e . T h i s i s where t h e group i d i s s p e c i f i e d t o l i n k u s e r s t o g r o u p s . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBUPermissionTable <s t r i n g > O p t i o n a l D e f a u l t : a u t h z s v n u s e r p e r m i s s i o n

(14)

D e s c r i p t i o n : The name o f t h e t a b l e where u s e r −l e v e l p e r m i s s i o n s (R/W/ R e c u r s i v e ) a r e s t o r e d . T h i s t a b l e c o n t a i n s t h e d a t a t o a l l o w Apache t o g r a n t and r e j e c t i n d i v i d u a l u s e r s from a c c e s s i n g a p a r t i c u l a r r e p o s i t o r y . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBUPermissionUserColumn <s t r i n g > O p t i o n a l D e f a u l t : u s e r i d D e s c r i p t i o n : T h i s i s where t h e u s e r ’ s i d i s s t o r e i n t h e u s e r p e r m i s s i o n t a b l e and l i n k s u s e r s t o r e p o s i t o r i e s . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBUPermissionPathColumn <s t r i n g > O p t i o n a l D e f a u l t : r e p o s i t o r y i d D e s c r i p t i o n : T h i s i s where t h e r e p o s i t o r y ’ s i d i s s t o r e i n t h e u s e r p e r m i s s i o n t a b l e and l i n k s u s e r s t o r e p o s i t o r i e s . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBUPermissionReadColumn <s t r i n g > O p t i o n a l D e f a u l t : r e a d D e s c r i p t i o n : T h i s i s t h e name o f t h e column i n t h e d a t a b a s e t h a t g r a n t s o r r e v o k e s t h e a b i l i t y o f a u s e r t o r e a d a r e p o s i t o r y . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBUPermissionWriteColumn <s t r i n g > O p t i o n a l D e f a u l t : w r i t e D e s c r i p t i o n : T h i s i s t h e name o f t h e column i n t h e d a t a b a s e t h a t g r a n t s o r r e v o k e s t h e a b i l i t y o f a u s e r t o w r i t e t o a r e p o s i t o r y . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBUPermissionRecursiveColumn <s t r i n g > O p t i o n a l D e f a u l t : r e c u r s i v e D e s c r i p t i o n : T h i s i s t h e name o f t h e column i n t h e d a t a b a s e t h a t c o n t r o l s whether a u s e r ’ s p e r m i s s i o n s a r e t o be p r o p a g a t e d t o c h i l d d i r e c t o r i e s i n a r e p o s i t o r y . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBGPermissionTable <s t r i n g > O p t i o n a l D e f a u l t : a u t h z s v n g r o u p p e r m i s s i o n

D e s c r i p t i o n : The name o f t h e t a b l e where group−l e v e l p e r m i s s i o n s (R/W / R e c u r s i v e ) a r e s t o r e d . T h i s t a b l e c o n t a i n s t h e d a t a t o a l l o w Apache t o g r a n t and r e j e c t g r o u p s from a c c e s s i n g a p a r t i c u l a r r e p o s i t o r y .

Warnings : None

(15)

Chapter 3. Configuration 3.4. Configuring the Apache web server ∗ AuthzSVNDBGPermissionGroupColumn <s t r i n g > O p t i o n a l D e f a u l t : g r o u p i d D e s c r i p t i o n : T h i s i s where t h e group ’ s i d i s s t o r e i n t h e g r o u p p e r m i s s i o n t a b l e and l i n k s g r o u p s t o r e p o s i t o r i e s . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBGPermissionPathColumn <s t r i n g > O p t i o n a l D e f a u l t : r e p o s i t o r y i d D e s c r i p t i o n : T h i s i s where t h e r e p o s i t o r y ’ s i d i s s t o r e i n t h e g r o u p p e r m i s s i o n t a b l e and l i n k s g r o u p s t o r e p o s i t o r i e s . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBGPermissionReadColumn <s t r i n g > O p t i o n a l D e f a u l t : r e a d D e s c r i p t i o n : T h i s i s t h e name o f t h e column i n t h e d a t a b a s e t h a t g r a n t s o r r e v o k e s t h e a b i l i t y o f a group t o r e a d a r e p o s i t o r y . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBGPermissionWriteColumn <s t r i n g > O p t i o n a l D e f a u l t : w r i t e D e s c r i p t i o n : T h i s i s t h e name o f t h e column i n t h e d a t a b a s e t h a t g r a n t s o r r e v o k e s t h e a b i l i t y o f a group t o w r i t e t o a r e p o s i t o r y . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBGPermissionRecursiveColumn <s t r i n g > O p t i o n a l D e f a u l t : r e c u r s i v e D e s c r i p t i o n : T h i s i s t h e name o f t h e column i n t h e d a t a b a s e t h a t c o n t r o l s whether a group ’ s p e r m i s s i o n s a r e t o be p r o p a g a t e d t o c h i l d d i r e c t o r i e s i n a r e p o s i t o r y . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBRepoPathTable <s t r i n g > O p t i o n a l D e f a u l t : a u t h z s v n r e p o p a t h D e s c r i p t i o n : The t a b l e name f o r t h a t t a b l e t h a t c o n t a i n s a l i s t i n g o f a l l r e p o s i t o r y p a t h s f o r apache t o s e r v e . Such p a t h s a r e a v a i l a b l e a s URI ’ s appended t o t h e Apache s e r v e r URL. I . E . i f t h e a u t h z SVN DAV

p a r e n t path i s l o c a t e d a t : ” h t t p : / / svn . s e r v e r . com/ svndav ” and one o f t h e r e p o s i t o r y p a t h s i s ”m y p r o j e c t ” , t h e n one may s p e c i f y : ” h t t p : / / svn . s e r v e r . com/ svndav / m y p r o j e c t ” t o a c c e s s t h e r e p o s i t o r y . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBRepoPathPathColumn <s t r i n g > O p t i o n a l

(16)

D e f a u l t : path

D e s c r i p t i o n : The column i n t h e t a b l e t h a t s t o r e s t h e s t r i n g path t o t h e r e p o s i t o r y , o r a sub−d i r e c t o r y w i t h i n t h e r e p o s i t o r y . T h e r e f o r e , any sub−d i r e c t o r i e s w i t h i n a r e p o s i t o r y can be e x p l i c i t l y named h e r e .

Once named , u s e r and group p e r m i s s i o n s can be a p p l i e d t o t h o s e p a t h s . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBRepoPathRepositoryColumn <s t r i n g > O p t i o n a l D e f a u l t : r e p o s i t o r y i d

D e s c r i p t i o n : The column t h a t s t o r e s t h e t a r g e t r e p o s i t o r y i d t o which t h e path i s l i n k e d and w i t h i n which t h e path i s c o n t a i n e d . I . E . i f t h e r e p o s i t o r y ” m y p r o j e c t ” has branch , trunk , and tag , t h e

AuthzSVNDBRepoPathPathColumn can be ”/ t r u n k ” o r ”/ branch ”.

Warnings : None

∗ AuthzSVNDBRepoPathIDColumn <s t r i n g > O p t i o n a l

D e f a u l t : i d

D e s c r i p t i o n : The name o f t h e p r i m a r y key i n d e x column f o r t h e Path t a b l e . I f your d a t a b a s e d o e s no t have one , f i r e your d a t a b a s e d e s i g n e r . A l l t a b l e s need p r i m a r y k e y s . Notes : Se e S e c t i o n V Warnings : None ∗ AuthzSVNDBPasswordFile <s t r i n g > O p t i o n a l D e f a u l t : NULL ( Not u s e d ) D e s c r i p t i o n : T h i s i s a f a l l −back i n t h e e v e n t a f l a t f i l e i s t o be u s e d f o r a u t h e n t i c a t i o n . P l e a s e note , u s i n g t h i s f i l e may h e l p debug t h e i n s t a l l a t i o n o f t h e module , but i s a s e c u r i t y r i s k a s a l l

p a s s w o r d s must be s t o r e d i n p l a i n −t e x t . I t i s recommended t h a t t h i s f i l e be u s e d o n l y f o r d e v e l o p m e n t and o n l y be r e a d a b l e t o an

a d m i n i s t r a t o r and Apache .

Warnings : Using a password f i l e i s a s e c u r i t y r i s k

! Use o n l y f o r d e v e l o p m e n t and i n e n s u r e t a r g e t f i l e i s r e a d a b l e , w r i t e a b l e , and e x e c u t a b l e o n l y by r o o t and Apache ’ s u s e r .

3.4.3 Entering the global server commands for LDAP over SSL/TLS

If a SSL/TLS connection to the LDAP servers is needed and if a self signed certificate is used, a few global commands are necessary. There are two possibilities when using a self signed certificate. Either the certificate verification is turned off with the global command LDAPVerifyServerCert Off or the path to the certificate of the SSL certificate authority (CA) must be specified with the command LDAPTrustedGlobalCert <cert type> <cert path>.

(17)

3.4.4 The full Apache SVN example configuration

Listing 3.6: Content of the httpd.conf file

1 LDAPVerifyServerCert On

2 LDAPTrustedGlobalCert CA BASE64 LDAPTrustedGlobalCert CA BASE64 / e t c / apache2 / c e r t / c a c e r t . pem

Listing 3.7: Content of the dav svn.conf file

1 <A u t h n P r o v i d e r A l i a s l d a p openldap>

2 # ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗

3 #A u t h e n t i c a t i o n d a t a f o r t h e OpenLDAP s e r v e r

4 # ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗

5

6 AuthLDAPBindDN ”CN=admin , dc=imvs , dc=t e c h n i k , dc=fhnw , dc=ch ”

7 AuthLDAPBindPassword pw

8 AuthLDAPURL l d a p : / / l o c a l h o s t : 3 8 9 /DC=imvs ,DC=t e c h n i k ,DC=fhnw ,DC=ch ? cn ? sub ? ( o b j e c t C l a s s=p e r s o n ) NONE 9 </A u t h n P r o v i d e r A l i a s > 10 11 <A u t h n P r o v i d e r A l i a s l d a p ad−stud> 12 # ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ 13 #A u t h e n t i c a t i o n d a t a f o r t h e edu domain 14 # ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ 15

16 #For AD, a b i n d DN and password i s n e c e s s a r y b e c a u s e anonymous b i n d i n g i s n ’ t a l l o w e d f o r s e a r c h i n g 17 AuthLDAPBindDN user@edu . ds . fhnw . ch 18 AuthLDAPBindPassword pw 19 20 #c h e c k t h e two r e d u n d a n t domain c o n t r o l l e r s 21 #3269 i s t h e g l o b a l c a t a l o g s s l s e r v e r p o r t .

22 AuthLDAPURL ” l d a p : / / dsemu11 . edu . ds . fhnw . ch : 3 2 6 9 dsemu12 . edu . ds . fhnw . ch : 6 3 6 / ou=edu , ou=prod ,DC=edu ,DC=ds ,DC=fhnw ,DC=ch ? m a i l ? sub ? ( o b j e c t C l a s s= p e r s o n ) ” SSL 23 </A u t h n P r o v i d e r A l i a s > 24 25 <A u t h n P r o v i d e r A l i a s l d a p ad−adm> 26 # ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ 27 #A u t h e n t i c a t i o n d a t a f o r t h e adm domain 28 # ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ 29

30 #For AD, a b i n d DN and password i s n e c e s s a r y b e c a u s e anonymous b i n d i n g i s n ’ t a l l o w e d f o r s e a r c h i n g

31 AuthLDAPBindDN user@edu . ds . fhnw . ch

32 AuthLDAPBindPassword pw

33

34 AuthLDAPURL ” l d a p : / / dsamu11 . i c t . fhnw . ch : 6 3 6 dsamu12 . i c t . fhnw . ch : 6 3 6 /OU= adm ,OU=Prod ,DC=adm ,DC=ds ,DC=fhnw ,DC=ch ? m a i l ? sub ? ( o b j e c t C l a s s=p e r s o n ) ”

SSL 35 </A u t h n P r o v i d e r A l i a s > 36 37 <L o c a t i o n / e x a m p l e r e p o > 38 #SVN s e c t i o n : 39 DAV svn 40 SVNPath / d a t a / e x a m p l e r e p o

(18)

41

42 #A u t h e n t i c a t i o n s e c t i o n

43 A u t h B a s i c P r o v i d e r o p e n l d a p ad−s t u d ad−adm

44 AuthType B a s i c

45 AuthName ”For a c c e s s i n g t h e r e p o s i t o r y , an a u t h e n t i c a t i o n i s needed ”

46 r e q u i r e v a l i d −u s e r 47 48 #A u t o r i z a t i o n 49 AuthzSVNDBHost ” l o c a l h o s t ” 50 AuthzSVNDBPort ”3 3 0 6 ” 51 AuthzSVNDBName ”svnperm ” 52 AuthzSVNDBUsername ”svn mod ” 53 AuthzSVNDBPassword ”pw” 54 </L o c a t i o n >

SVN Authentication and Authorization

Admin Guide