SVN Authentication and Authorization

Transcription

1 Admin Guide SVN Authentication and Authorization Authentication and Authorization of SVN Users via Active Directory and OpenLDAP Gérard Bieli, Christian Haller Windisch, 14th August 2009

2 Contents 1 Prerequisites 4 2 Compilation and installation of the Apache Module 5 3 Configuration Creating the SVN repository or repositories Creating the database Loading the required Apache modules Configuring the Apache web server Defining the LDAP aliases Configuring the Apache Location for the SVN repository Entering the global server commands for LDAP over SSL/TLS The full Apache SVN example configuration

3 Abstract This document contains a guide for administrators to implement a solution for SVN LDAP authentication and authorisation with the help of a database. This solution was tested on a Linux server with Kernel version The solution consists of: Secure SSL Authentication against more than one non-redundant LDAP Server. Secure SSL Authentication against redundant Active Directory Domain Controllers. SVN Authorisation with the help of a MySQL Database. The solution uses a non standard module called mod authz svn db 1 developed by Christopher Wojno for the SVN database based authorisation. Figure 0.1 shows the whole solution detailed in one picture. A user types in his or her credentials into the SVN client login fields (1). The SVN client then sends this credentials via HTTP basic auth to the Apache server (2). After receiving the login data, the LDAP module tries to authenticate the user against the LDAP servers (with the help of the alias module) (3). After the successful authentication, the module mod authz svn db queries the MySQL database to check whether the user has access rights on the desired repository or not (4). If the user has the necessary rights, the dav svn module delivers the SVN data to the client (5 and 6). Apache SVN Repositories SVN Client credentials 2 6 deliver data HTTP Basic Auth DAV SVN Modul Authz SVN DB Modul LDAP Modul retrieve data from repo authorise user Authorization DB 1 Alias Modul authenticate user OpenLDAP Active Directory EDU Active Directory ADM Figure 0.1: Schematic of the whole solution 1 authz svn db

4 1 Prerequisites To successfully implement the solution described in this document, it is assumed that the reader has basic knowledge of linux systems administration. This includes: Installation of packages via apt. Being familiar with the bash shell. In order to successfully implement the configuration specified in this document, there are some system requirements to cover. It is assumed that the apache web server runs a Debian 5 32bit Linux with Kernel or later. The module compilation has not been tested on 64bit systems or Windows. Due to the fact that the Apache module framework should be platform independent, it might also work on these systems. In order to successfully implement a LDAP authentication system, a working OpenLDAP, Active Directory server or another LDAP server is needed. It is also possible to query multiple non redundant LDAP servers in a specified order. If a secure SSL/TLS connection is desired, a valid SSL certificate must be available on the LDAP server(s). All the steps and configurations in this document are intended to be executed on the server on which the Apache web server is installed. The following debian packages need to be installed in order to successfully compile the mod authz svn db module: Package apache2 v2.2.9 libapache2-svn v1.5.1 apache2-threaded-dev v2.2.9 libsvn-dev v1.5.1 libmysqlclient15-dev v5.0.51a libmysqlclient15off v5.0.51a Notes apache server meta package apache svn module apache headers and build tools svn headers mysql development libraries and headers mysql client library To create and manage the SVN repository, the following package should be installed: Package Notes subversion v1.5.1 svn client, svn administration tool and svn server To have a MySQL database server available on the same server, the following packages should be installed: Package mysql-server v5.0.51a phpmyadmin v4: Notes mysql server meta package php administration platform to manage the database (URL: 4

5 2 Compilation and installation of the Apache Module If all the packages in chapter 1 have been installed, the compilation and installation of the module mod authz svn db should work without any difficulties by simply executing the build script from the module s ZIP file. In order to build the module, follow these instructions: 1. Unzip the mod authz svn db.zip file to /tmp/mod authz svn db. 2. Change to the directory /tmp/mod authz svn db. 3. Execute the build.sh script with root priviledges. The build.sh script builds and installs the module mod authz svn db with the help of the Apache apxs2 tool into the Apache modules folder. If the build and installation process was successful, the directory /usr/lib/apache2/modules should contain the mod authz svn db mysql.so file. Listing 2.1 shows the content of the build file. #! / bin / bash Listing 2.1: mod authz svn db build script #s t o p the apache s e r v e r / e t c / i n i t. d/ apache2 stop #change to the mysql d i r e c t o r y cd mysql #compile the module #note : apxs2 i s t he apache b u i l d h e l p e r which i s used to b u i l d modules. GCC does not work!!!!! apxs2 c I / usr / i n c l u d e / subversion 1 I.. L / usr / l i b / l m y s q l c l i e n t mod authz svn db mysql. c #i n s t a l l the module i n t o t he apache modules d i r e c t o r y ( u s u a l l y / user / l i b / apache2 / modules ) apxs2 i e n authz svn db mysql module mod authz svn db mysql. l a #s t a r t the s e r v e r / e t c / i n i t. d/ apache2 s t a r t #change to the o r i g i n a l d i r e c t o r y cd.. 5

6 Chapter 2. Compilation and installation of the Apache Module If the installation was successful, the output on the console should be similar to Listing 2.2. Listing 2.2: Output of the buildscript Stopping web s e r v e r : apache2. / usr / share /apr 1.0/ b u i l d / l i b t o o l s i l e n t mode=compile tag=d i s a b l e s t a t i c i486 linux gnu gcc p r e f e r p i c DLINUX=2 D GNU SOURCE D LARGEFILE64 SOURCE D REENTRANT I / usr / i n c l u d e /apr 1.0 I / usr / i n c l u d e /mysql I / usr / i n c l u d e / o p e n s s l I / usr / i n c l u d e / p o s t g r e s q l I / usr / i n c l u d e / xmltok pthread I / usr / i n c l u d e / apache2 I / usr / i n c l u d e /apr 1.0 I / usr / i n c l u d e /apr 1.0 I / usr / i n c l u d e / p o s t g r e s q l I / usr / i n c l u d e /mysql I / usr / i n c l u d e / subversion 1 I.. c o mod authz svn db mysql. l o mod authz svn db mysql. c && touch mod authz svn db mysql. s l o / usr / share /apr 1.0/ b u i l d / l i b t o o l s i l e n t mode=l i n k tag=d i s a b l e s t a t i c i486 linux gnu gcc o mod authz svn db mysql. l a L/ usr / l i b / l m y s q l c l i e n t rpath / usr / l i b / apache2 / modules module avoid v e r s i o n mod authz svn db mysql. l o / usr / share / apache2 / b u i l d / i n s t d s o. sh SH LIBTOOL= / usr / share /apr 1.0/ b u i l d / l i b t o o l mod authz svn db mysql. l a / usr / l i b / apache2 / modules / usr / share /apr 1.0/ b u i l d / l i b t o o l mode=i n s t a l l cp mod authz svn db mysql. l a / usr / l i b / apache2 / modules / cp. l i b s / mod authz svn db mysql. so / usr / l i b / apache2 / modules / mod authz svn db mysql. so cp. l i b s / mod authz svn db mysql. l a i / usr / l i b / apache2 / modules / mod authz svn db mysql. l a PATH= $PATH: / sbin l d c o n f i g n / usr / l i b / apache2 / modules L i b r a r i e s have been i n s t a l l e d in : / usr / l i b / apache2 / modules I f you ever happen to want to l i n k a g a i n s t i n s t a l l e d l i b r a r i e s in a given d i r e c t o r y, LIBDIR, you must e i t h e r use l i b t o o l, and s p e c i f y the f u l l pathname o f the l i b r a r y, or use the LLIBDIR f l a g during l i n k i n g and do at l e a s t one o f the f o l l o w i n g : add LIBDIR to the LD LIBRARY PATH environment v a r i a b l e during e x e c u t i o n add LIBDIR to the LD RUN PATH environment v a r i a b l e during l i n k i n g use the Wl, rpath Wl, LIBDIR l i n k e r f l a g have your system a d m i n i s t r a t o r add LIBDIR to / e t c / ld. so. conf See any o p e r a t i n g system documentation about shared l i b r a r i e s for more information, such as the ld ( 1 ) and ld. so ( 8 ) manual pages. chmod 644 / usr / l i b / apache2 / modules / mod authz svn db mysql. so S t a r t i n g web s e r v e r : apache2. Admin Guide 6 SVN Authentication and Authorization

7 3 Configuration This chapter shows how to configure the Apache web server and the database in order to make the solution fully functional. 3.1 Creating the SVN repository or repositories To create a new repository called example rep follow these instructions: 1. Change to the directory where the repository or repositories should be created (e.g. /data). 2. Create a SVN repository with svnadmin create example_rep. 3. Change the owner and the group of the created repository to www-data (chgrp -R and chown -R). 3.2 Creating the database To create the database on the MySQL server follow these instructions: 1. Connect to the MySQL server either with phpmyadmin (URL: or the command line client. 2. Execute the contents of the create db.sql file contained in the mod authz svn db.zip. 3. Create a database user mod svn with only SELECT permissions. This user is used by the mod authz svn db module to query the database. After the successful creation of the database, the MySQL server should have a database called svn perm with seven data tables. Listing 3.1 shows the SQL commands for creating the database with its data tables. Listing 3.1: Database creation CREATE DATABASE svnperm DEFAULT CHARACTER SET u t f 8 COLLATE u t f 8 u n i c o d e c i ; USE svnperm ; CREATE TABLE a u t h z s v n r e p o s i t o r y ( id INT(11) NOT NULL AUTO INCREMENT, name VARCHAR(255) NOT NULL UNIQUE, PRIMARY KEY ( id ), INDEX repo name idx ( name ) ) ENGINE=InnoDB ; 7

8 Chapter 3. Configuration 3.2. Creating the database CREATE TABLE authz svn user ( id INT(11) NOT NULL AUTO INCREMENT, name VARCHAR(255) NOT NULL UNIQUE, PRIMARY KEY ( id ), INDEX user name idx ( name ) ) ENGINE=InnoDB ; CREATE TABLE authz svn repopath ( id INT(11) NOT NULL AUTO INCREMENT, r e p o s i t o r y i d INT(11) NOT NULL, path VARCHAR(255) NOT NULL, PRIMARY KEY ( id ), UNIQUE ( r e p o s i t o r y i d, path ), FOREIGN KEY r e p o s i t o r y i d i d x f k ( r e p o s i t o r y i d ) REFERENCES a u t h z s v n r e p o s i t o r y ( id ) ON DELETE CASCADE ) ENGINE=InnoDB ; CREATE TABLE a u t h z s v n u s e r p e r m ission ( u s e r i d INT(11) NOT NULL, r e p o s i t o r y p a t h i d INT(11) NOT NULL, read TINYINT( 1 ) NOT NULL, write TINYINT( 1 ) NOT NULL, recursive TINYINT( 1 ) NOT NULL, PRIMARY KEY ( u s e r i d, r e p o s i t o r y p a t h i d ), FOREIGN KEY u s e r i d i d x f k ( u s e r i d ) REFERENCES authz svn user ( id ) ON DELETE CASCADE, FOREIGN KEY r e p o p a t h i d i d x f k ( r e p o s i t o r y p a t h i d ) REFERENCES authz svn repopath ( id ) ON DELETE CASCADE ) ENGINE=InnoDB ; CREATE TABLE authz svn group ( id INT(11) NOT NULL AUTO INCREMENT, name VARCHAR(255) NOT NULL UNIQUE, PRIMARY KEY ( id ), INDEX group name idx ( name ) ) ENGINE=InnoDB ; CREATE TABLE authz svn groupmembership ( id INT(11) NOT NULL AUTO INCREMENT, u s e r i d INT(11) NOT NULL, Admin Guide 8 SVN Authentication and Authorization

9 Chapter 3. Configuration 3.3. Loading the required Apache modules group id INT(11) NOT NULL, PRIMARY KEY ( id ), UNIQUE ( u s e r i d, group id ), FOREIGN KEY u s e r i d i d x f k ( u s e r i d ) REFERENCES authz svn user ( id ) ON DELETE CASCADE, FOREIGN KEY g r o u p i d i d x f k ( group id ) REFERENCES authz svn group ( id ) ON DELETE CASCADE ) ENGINE=InnoDB ; CREATE TABLE authz svn grouppermission ( id INT(11) NOT NULL AUTO INCREMENT, group id INT(11) NOT NULL, r e p o s i t o r y p a t h i d INT(11) NOT NULL, read TINYINT( 1 ) NOT NULL, write TINYINT( 1 ) NOT NULL, recursive TINYINT( 1 ) NOT NULL, PRIMARY KEY ( id ), UNIQUE ( group id, r e p o s i t o r y p a t h i d ), FOREIGN KEY r e p o p a t h i d i d x f k ( r e p o s i t o r y p a t h i d ) REFERENCES authz svn repopath ( id ) ON DELETE CASCADE, FOREIGN KEY g r o u p i d i d x f k ( group id ) REFERENCES authz svn group ( id ) ON DELETE CASCADE ) ENGINE=InnoDB ; 3.3 Loading the required Apache modules There are certain modules which need to be loaded: 1. Make sure the dav svn module is activated (which should be the case after installing it via apt). 2. Edit the file /etc/apache2/mods-enabled/dav svn.load and append the line LoadModule authz svn db mysql module /usr/lib/apache2/modules/mod authz svn db mysql.so to load the mod authz svn db module. Listing 3.2 shows the new content of the file dav svn.load. 3. Enable the module mod authn alias by executing the command a2enmod authn_alias. 4. Enable the module mod authnz ldap by executing the command a2enmod authnz_ldap. Listing 3.2: Content of the new dav svn.load # Depends : dav LoadModule dav svn module / usr / l i b / apache2 / modules /mod dav svn. so LoadModule authz svn module / usr / l i b / apache2 / modules / mod authz svn. so LoadModule authz svn db mysql module / usr / l i b / apache2 / modules / mod authz svn db mysql. so Admin Guide 9 SVN Authentication and Authorization

10 Chapter 3. Configuration 3.4. Configuring the Apache web server 3.4 Configuring the Apache web server Defining the LDAP aliases In the dav svn.conf file the necessary alias definitions need to be created at the beginning of the file. Listing 3.3 shows the structure of an alias definition for an LDAP connection. Details to the configuration of Apache aliases can be found at authn alias.html. A complete example configuration is available in chapter <AuthnProviderAlias ldap a l i a s 1 > AuthLDAPBindDN... AuthLDAPBindPassword... AuthLDAPURL... </AuthnProviderAlias> Listing 3.3: Alias definition Table 3.1 shows the common LDAP ports which can be used within the command string of AuthLDAPURL. Table 3.1: LDAP Ports Port Explanation 389 Standard LDAP Port 636 LDAP port for secure SSL connections 3268 Global Catalog port used by Active Directory 3269 Secure Global Catalog port used by Active Directory Configuring the Apache Location for the SVN repository After creating the aliases, define a Location. A location is a part of the URL where the SVN repository should be accessible. Details about the definition of a Location are available at Listing 3.4 shows the structure of a Location definition. It contains three sections: 1. The SVN section contains the SVN commands or directives defined by the mod dav svn module. Details at dav svn. 2. Details on the authentication section can be found at auth basic.html. 3. This section contains the directives for the mod authz svn db module. All the available directives are explained in Listing 3.5. <Location / example repo> #s e c t i o n 1 : DAV svn SVNPath... Listing 3.4: Location configuration Admin Guide 10 SVN Authentication and Authorization

11 Chapter 3. Configuration 3.4. Configuring the Apache web server #s e c t i o n 2 : AuthBasicProvider a l i a s 1 a l i a s 2... AuthType Basic AuthName... r e q u i r e valid user #s e c t i o n 3 : AuthzSVNDBHost... AuthzSVNDBPort... AuthzSVNDBName... AuthzSVNDBUsername... AuthzSVNDBPassword... </Location> Listing 3.5 contains part of the readme file to the mod authz svn db module 1. It was included in this document because it is unknown for how long it will be available on the developers webpage. Listing 3.5: mod authz svn db directives In order to c o n f i g u r e mod authz svn db, Apache2 needs to be t o l d how the database i s c o n f i g u r e d. This c o n f i g u r a t i o n i s read only on boot i f you p l a c e i t in the vhosts c o n f i g u r a t i o n f i l e s ( i t i t s t r o n g l y recommended that you do f o r performance r e a s o n s ). Although you can put i t in the. h t a c c e s s f i l e s, t h i s p r a c t i c e i s s t r o n g l y discouraged. AuthzSVNDBAuthoritative <On Off> On D e s c r i p t i o n : I f enabled, mod authz svn db w i l l be the f i n a l judge o f a c c e s s a u t h o r i z a t i o n. Although other a u t h o r i z a t i o n modules may run b e f o r e i t, i f mod authz svn db i s run, no other modules w i l l be c o n s u l t e d. I f s e t to Off, i f the user i s not found by mod authz svn db, another a u t h o r i z a t i o n module can take over f o r mod authz svn db. Notes : This i s r e a l l y only u s e f u l i f you want to use mod auth svn db and some other module to a u t h o r i z e u s e r s. AuthzSVNDBHost <s t r i n g > Required l o c a l h o s t D e s c r i p t i o n : This i s the host where your database can be contacted. IP a d d r e s s e s are recommended f o r speed, but you may a l s o use hostnames such as www. wojno. com or l o c a l h o s t Notes : AuthzSVNDBPort <unsigned i n t e g e r ( )> Required The d e f a u l t f o r the database s o f t w a r e to which one i s connecting. D e s c r i p t i o n : This i s the port on the AuthzSVNDBHost on which your database i s l i s t e n i n g f o r new c o n n e c t i o n s. 1 authz svn db/trunk/readme Admin Guide 11 SVN Authentication and Authorization

12 Chapter 3. Configuration 3.4. Configuring the Apache web server Notes : AuthzSVNDBName <s t r i n g > Required N/A D e s c r i p t i o n : This i s the name o f the database that c o n t a i n s the a u t h o r i z a t i o n t a b l e s as d e s c r i b e d in s e c t i o n V. Notes : AuthzSVNDBUsername <s t r i n g > Required N/A D e s c r i p t i o n : This i s the username used to connect to the database AuthzSVNDBName a t AuthzSVNDBHost Notes : AuthzSVNDBPassword <s t r i n g > i f AuthzSVNDBPasswordFile used N/A D e s c r i p t i o n : The password to use when a c c e s s i n g the database ( database a u t h e n t i c a t i o n ), o v e r r i d e s the s p e c i f i e d password f i l e. I t i s recommended that a password f i l e be used i n s t e a d o f t h i s d i r e c t i v e i f the c o n f i g u r a t i o n f i l e i s p u b l i c l y v i s i b l e. Notes : See AuthzSVNDBPasswordFile I f the c o n f i g u r a t i o n f i l e in which t h i s d i r e c t i v e i s used i s v i s i b l e to the public, people w i l l be able to s e e your database password! Use AuthzSVNDBPasswordFile i n s t e a d! AuthzSVNDBUserTable <s t r i n g > a u t h z s v n u s e r D e s c r i p t i o n : The name o f the t a b l e in AuthzSVNDBName that c o n t a i n s the l i s t o f u s e r s ( s e e s e c t i o n V) Notes : AuthzSVNDBUserColumn <s t r i n g > name D e s c r i p t i o n : The name o f the column in AuthzSVNDBUserColumn that c o n t a i n s the name o f the u s e r s AuthzSVNDBUserIDColumn <s t r i n g > id D e s c r i p t i o n : The name o f the column in AuthzSVNDBUserColumn that c o n t a i n s the numeric ID o f the u s e r s Notes : I f your database does not have ID s f o r every user, then your database d e s i g n e r needs to be f i r e d. This i s a r e q u i r e d part o f the database. Admin Guide 12 SVN Authentication and Authorization

13 Chapter 3. Configuration 3.4. Configuring the Apache web server AuthzSVNDBRepositoryTable <s t r i n g > a u t h z s v n r e p o s i t o r y D e s c r i p t i o n : The name o f the t a b l e in AuthzSVNDBName that c o n t a i n s the l i s t o f r e p o s i t o r y names ( not paths ) AuthzSVNDBRepositoryColumn <s t r i n g > name D e s c r i p t i o n : The name o f the column in AuthzSVNDBUserColumn that c o n t a i n s the name o f the r e p o s i t o r i e s AuthzSVNDBRepositoryIDColumn <s t r i n g > id D e s c r i p t i o n : The name o f the column in AuthzSVNDBUserColumn that c o n t a i n s the numeric ID o f the r e p o s i t o r i e s AuthzSVNDBGroupMembershipTable <s t r i n g > authz svn groupmembership D e s c r i p t i o n : The name o f the t a b l e in AuthzSVNDBName that c o n t a i n s the matching o f user ID s and group ID s i n d i c a t i n g membership in a group AuthzSVNDBGroupMembershipUserColumn <s t r i n g > u s e r i d D e s c r i p t i o n : The name o f the user column in the group membership database. This i s where the user id i s s p e c i f i e d to l i n k u s e r s to groups. AuthzSVNDBGroupMembershipGroupColumn <s t r i n g > group id D e s c r i p t i o n : The name o f the group column in the group membership database. This i s where the group id i s s p e c i f i e d to l i n k u s e r s to groups. AuthzSVNDBUPermissionTable <s t r i n g > a u t h z s v n u s e r p e r m i s s i o n Admin Guide 13 SVN Authentication and Authorization

14 Chapter 3. Configuration 3.4. Configuring the Apache web server D e s c r i p t i o n : The name o f the t a b l e where user l e v e l p e r m i s s i o n s (R/W/ Recursive ) are s t o r e d. This t a b l e c o n t a i n s the data to allow Apache to grant and r e j e c t i n d i v i d u a l u s e r s from a c c e s s i n g a p a r t i c u l a r r e p o s i t o r y. AuthzSVNDBUPermissionUserColumn <s t r i n g > u s e r i d D e s c r i p t i o n : This i s where the user s id i s s t o r e in the u s e r p e r m i s s i o n t a b l e and l i n k s u s e r s to r e p o s i t o r i e s. AuthzSVNDBUPermissionPathColumn <s t r i n g > r e p o s i t o r y i d D e s c r i p t i o n : This i s where the r e p o s i t o r y s id i s s t o r e in the u s e r p e r m i s s i o n t a b l e and l i n k s u s e r s to r e p o s i t o r i e s. AuthzSVNDBUPermissionReadColumn <s t r i n g > read D e s c r i p t i o n : This i s the name o f the column in the database that g rants or revokes the a b i l i t y o f a user to read a r e p o s i t o r y. AuthzSVNDBUPermissionWriteColumn <s t r i n g > w r i t e D e s c r i p t i o n : This i s the name o f the column in the database that g rants or revokes the a b i l i t y o f a user to w r i t e to a r e p o s i t o r y. AuthzSVNDBUPermissionRecursiveColumn <s t r i n g > r e c u r s i v e D e s c r i p t i o n : This i s the name o f the column in the database that c o n t r o l s whether a user s p e r m i s s i o n s are to be propagated to c h i l d d i r e c t o r i e s in a r e p o s i t o r y. AuthzSVNDBGPermissionTable <s t r i n g > authz svn grouppermission D e s c r i p t i o n : The name o f the t a b l e where group l e v e l p e r m i s s i o n s (R/W / Recursive ) are s t o r e d. This t a b l e c o n t a i n s the data to allow Apache to grant and r e j e c t groups from a c c e s s i n g a p a r t i c u l a r r e p o s i t o r y. Admin Guide 14 SVN Authentication and Authorization

15 Chapter 3. Configuration 3.4. Configuring the Apache web server AuthzSVNDBGPermissionGroupColumn <s t r i n g > group id D e s c r i p t i o n : This i s where the group s id i s s t o r e in the grouppermission t a b l e and l i n k s groups to r e p o s i t o r i e s. AuthzSVNDBGPermissionPathColumn <s t r i n g > r e p o s i t o r y i d D e s c r i p t i o n : This i s where the r e p o s i t o r y s id i s s t o r e in the grouppermission t a b l e and l i n k s groups to r e p o s i t o r i e s. AuthzSVNDBGPermissionReadColumn <s t r i n g > read D e s c r i p t i o n : This i s the name o f the column in the database that g rants or revokes the a b i l i t y o f a group to read a r e p o s i t o r y. AuthzSVNDBGPermissionWriteColumn <s t r i n g > w r i t e D e s c r i p t i o n : This i s the name o f the column in the database that g rants or revokes the a b i l i t y o f a group to w r i t e to a r e p o s i t o r y. AuthzSVNDBGPermissionRecursiveColumn <s t r i n g > r e c u r s i v e D e s c r i p t i o n : This i s the name o f the column in the database that c o n t r o l s whether a group s p e r m i s s i o n s are to be propagated to c h i l d d i r e c t o r i e s in a r e p o s i t o r y. AuthzSVNDBRepoPathTable <s t r i n g > authz svn repopath D e s c r i p t i o n : The t a b l e name f o r that t a b l e that c o n t a i n s a l i s t i n g o f a l l r e p o s i t o r y paths f o r apache to s e r v e. Such paths are a v a i l a b l e as URI s appended to the Apache s e r v e r URL. I.E. i f the authz SVN DAV parent path i s l o c a t e d at : http : / / svn. s e r v e r. com/ svndav and one o f the r e p o s i t o r y paths i s myproject, then one may s p e c i f y : http : / / svn. s e r v e r. com/ svndav / myproject to a c c e s s the r e p o s i t o r y. AuthzSVNDBRepoPathPathColumn <s t r i n g > Admin Guide 15 SVN Authentication and Authorization

16 Chapter 3. Configuration 3.4. Configuring the Apache web server path D e s c r i p t i o n : The column in the t a b l e that s t o r e s the s t r i n g path to the r e p o s i t o r y, or a sub d i r e c t o r y within the r e p o s i t o r y. Therefore, any sub d i r e c t o r i e s within a r e p o s i t o r y can be e x p l i c i t l y named here. Once named, user and group p e r m i s s i o n s can be a p p l i e d to those paths. AuthzSVNDBRepoPathRepositoryColumn <s t r i n g > r e p o s i t o r y i d D e s c r i p t i o n : The column that s t o r e s the t a r g e t r e p o s i t o r y id to which the path i s l i n k e d and within which the path i s contained. I.E. i f the r e p o s i t o r y myproject has branch, trunk, and tag, the AuthzSVNDBRepoPathPathColumn can be / trunk o r / branch. AuthzSVNDBRepoPathIDColumn <s t r i n g > id D e s c r i p t i o n : The name o f the primary key index column f o r the Path t a b l e. I f your database does not have one, f i r e your database d e s i g n e r. All t a b l e s need primary keys. AuthzSVNDBPasswordFile <s t r i n g > NULL ( Not used ) D e s c r i p t i o n : This i s a f a l l back in the event a f l a t f i l e i s to be used f o r a u t h e n t i c a t i o n. Please note, using t h i s f i l e may help debug the i n s t a l l a t i o n o f the module, but i s a s e c u r i t y r i s k as a l l passwords must be s t o r e d in plain t e x t. I t i s recommended that t h i s f i l e be used only f o r development and only be readable to an a d m i n i s t r a t o r and Apache. Using a password f i l e i s a s e c u r i t y r i s k! Use only f o r development and in ensure t a r g e t f i l e i s readable, w r i t e a b l e, and e x e c u t a b l e only by root and Apache s user Entering the global server commands for LDAP over SSL/TLS If a SSL/TLS connection to the LDAP servers is needed and if a self signed certificate is used, a few global commands are necessary. There are two possibilities when using a self signed certificate. Either the certificate verification is turned off with the global command LDAPVerifyServerCert Off or the path to the certificate of the SSL certificate authority (CA) must be specified with the command LDAPTrustedGlobalCert <cert type> <cert path>. Admin Guide 16 SVN Authentication and Authorization

17 Chapter 3. Configuration 3.4. Configuring the Apache web server The full Apache SVN example configuration Listing 3.6: Content of the httpd.conf file 1 LDAPVerifyServerCert On 2 LDAPTrustedGlobalCert CA BASE64 LDAPTrustedGlobalCert CA BASE64 / e t c / apache2 / c e r t / c a c e r t. pem Listing 3.7: Content of the dav svn.conf file 1 <AuthnProviderAlias ldap openldap> 2 # 3 #Authentication data f o r the OpenLDAP s e r v e r 4 # 5 6 AuthLDAPBindDN CN=admin, dc=imvs, dc=technik, dc=fhnw, dc=ch 7 AuthLDAPBindPassword pw 8 AuthLDAPURL ldap : / / l o c a l h o s t :389/DC=imvs,DC=technik,DC=fhnw,DC=ch? cn? sub?( o b j e c t C l a s s=person ) NONE 9 </AuthnProviderAlias> <AuthnProviderAlias ldap ad stud> 12 # 13 #Authentication data f o r the edu domain 14 # #For AD, a bind DN and password i s n e c e s s a r y because anonymous binding isn t allowed f o r s e a r c h i n g 17 AuthLDAPBindDN user@edu. ds. fhnw. ch 18 AuthLDAPBindPassword pw #check the two redundant domain c o n t r o l l e r s 21 #3269 i s the g l o b a l c a t a l o g s s l s e r v e r port. 22 AuthLDAPURL ldap : / / dsemu11. edu. ds. fhnw. ch :3269 dsemu12. edu. ds. fhnw. ch :636/ ou=edu, ou=prod,dc=edu,dc=ds,dc=fhnw,dc=ch? mail? sub?( o b j e c t C l a s s= person ) SSL 23 </AuthnProviderAlias> <AuthnProviderAlias ldap ad adm> 26 # 27 #Authentication data f o r the adm domain 28 # #For AD, a bind DN and password i s n e c e s s a r y because anonymous binding isn t allowed f o r s e a r c h i n g 31 AuthLDAPBindDN user@edu. ds. fhnw. ch 32 AuthLDAPBindPassword pw AuthLDAPURL ldap : / / dsamu11. i c t. fhnw. ch :636 dsamu12. i c t. fhnw. ch :636/OU= adm,ou=prod,dc=adm,dc=ds,dc=fhnw,dc=ch? mail? sub?( o b j e c t C l a s s=person ) SSL 35 </AuthnProviderAlias> <Location / example repo> 38 #SVN s e c t i o n : 39 DAV svn 40 SVNPath / data / example repo Admin Guide 17 SVN Authentication and Authorization

18 Chapter 3. Configuration 3.4. Configuring the Apache web server #Authentication s e c t i o n 43 AuthBasicProvider openldap ad stud ad adm 44 AuthType Basic 45 AuthName For a c c e s s i n g the r e p o s i t o r y, an a u t h e n t i c a t i o n i s needed 46 r e q u i r e valid user #A u t o r i z a t i o n 49 AuthzSVNDBHost l o c a l h o s t 50 AuthzSVNDBPort AuthzSVNDBName svnperm 52 AuthzSVNDBUsername svn mod 53 AuthzSVNDBPassword pw 54 </Location> Admin Guide 18 SVN Authentication and Authorization