Is there a way to refer to LDAP groups in an AuthzSVNAccessFile? - So that groups don't have to be defined in an SVN access control list?

Troels,
It just so happens there is but it requires using a third-party script, ironically written by me: http://www.thoughtspark.org/node/26. Let me know how it works out for you.

Take care,

Jeremy

Thanks for this information! It's extremely useful.

If it is going to be the "definitive" guide to this, then it needs to show how to restrict access via LDAP Groups.

Location "/repos/">
# SVN Config and LDAP Authentication Config goes here
LimitExcept GET PROPFIND OPTIONS REPORT>
require ldap-group CN=SubversionUsers,OU=Domain Groups,DC=example,DC=com
/LimitExcept>
/Location>

And now only people in the SubverionUsers can login to the /repos/ repository.

*Note that I due to html rescritions, the angle brackets are incorrect.

Aaron,
Actually, I've left restricting groups out for another reason. The problem with your approach is that it is blanket restriction, meaning you either have access or you don't based on your group. I have a solution that lets you use LDAP-defined groups in your Subversion authz file which is much, much more granular and flexible. I know for some blanket-level authorization is enough but not for most, which is why I didn't mention it. I guess if you're interested in learning about he solution I speak of, feel free to read the following: http://www.thoughtspark.org/node/26

Take care,

Jeremy

Does the collabnet subversion package for rhel 5 contains mod_ldap and mod_authnz_ldap modules ?
Or should I compile these modules from sources ?

Thanx for you guide.

--
Fabio

Fabio,
From my understanding, they are compiled into the httpd binary. They are available.

Take care,

Jeremy

Hi Jeremy,

Is there a way to use an encrypted ldap password? It seems a little unsafe to have the ldap password in plain text.

regards,

Jason

Jason,
Not that I'm aware. While I can somewhat agree, if you think about it, a server should be locked down anyways. That means that only trusted individuals would have access to the filesystem and its contents, like the Apache configuration file. The suggested thing to do in a case like this is to create a "service" account and lock that account down accordingly. Then, even if someone were to maliciously use the credentials, they'd only have access to a very little piece of information.

Take care,

Jeremy

I'm having an issue, can't get Apache Service to start when I use the above (top) config for Apache 2.2. Could this be due to incorrect LDAP settings or is there somewhere else I should be looking? I Can't find any clear info in the event logs. I'm a novice with Apache and LDAP but it would help if I knew where I should be looking. Does anyone know if Apache will start ok even if the LDAP configs are wrong (incorrect server or CN, etc.)

When I start Apache 2.2 with a basic httpd.conf it starts up fine:
Location /svn>
DAV svn
SVNParentPath C:\repositories
SVNListParentPath On
Require valid-user
AuthType Basic
AuthName "Subversion repository"
AuthUserFile C:\repositories\password-file
/Location>

Thanks,

Also, is the AuthzSVNAccessFile required? If so, is it configured using htpasswd? I thought the reason to use LDAP is to get away from an access file?

Here is the LDAP config that will not allow my Apache 2.2 server to start. I'm wondering if I have AuthLDAPURL configured correctly as this is all internal on my network so I'm referencing the server name:

Location /svn>
# Enable Subversion
DAV svn

# Directory containing all repository for this path
SVNParentPath C:\repositories

# List repositories colleciton
SVNListParentPath On

# Enable WebDAV automatic versioning
SVNAutoversioning On

# Repository Display Name
SVNReposName "Subversion Repository"

# Do basic password authentication in the clear
AuthType Basic

# The name of the protected area or "realm"
AuthName "Subversion Repository"

# Make LDAP the authentication mechanism
AuthBasicProvider ldap

# Make LDAP authentication is final
AuthzLDAPAuthoritative on

# Active Directory requires an authenticating DN to access records
AuthLDAPBindDN "CN=TESTUSER,CN=Users,DC=MY,DC=DOMAIN"

# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword TESTPASSWORD

# The LDAP query URL
AuthLDAPURL "ldap://SERVERNAME.my.domain:389/DC=my,DC=domain?sAMAccountName?sub?(objectClass=*)"

# Require a valid user
Require valid-user

# Authorization file
AuthzSVNAccessFile c:\repositories\password-file
/LOCATION>

Eric,
Well, the first place to start would be by looking at the Apache error logs. If Apache doesn't start, there is a good chance that it would be in there. If there is nothing in there, you might need to start Apache from the command line to see why it's failing. Sometimes, if the failure is early enough in the startup process, standard out/error is used to relay problems.

As for Apache starting if the LDAP configs are wrong, Apache would still start. It does not validate the actual contents of the LDAP settings. If it's failing to startup, it's probably a syntax problem, unloaded module, failure to load a module or something like that.

Finally, the AuthzSVNAccessFile is used for Subversion's path-based authorization. It has nothing to do with LDAP. LDAP is for authentication while authorization is done using the "authz" mechanism provided by Subversion.

In the end, you need to figure out the cause of the failure. Apache error logs and/or standard out/error would be where to look. Good luck.

Take care,

Jeremy

hi ,i have a problem that if i want to use two url in the AuthURL,is't possibile?

hi ,

I write this is to ask a problem which i have googled but without a result.

My problem is : if i want to authorize a group to have the permission to access an application:subversion, i can use the command below in an auth.conf (saved in folder /etc/httpd/conf.d):
#######

AuthLDAPURL "ldap://localhost/ou=develop,dc=company,dc=com?cn"
require valid-user

#######

and i test it ,the user belong to ou=develop can access subversion .

now i want to give the group testing the same permission as develop.

######
AuthLDAPURL "ldap://localhost/ou=develop,dc=company,dc=com?cn"

AuthLDAPURL "ldap://localhost/ou=testing,dc=company,dc=com?cn"
require valid-user
######

and this doesnot work,only user of develop can access subversion.


then i change it as below :
######
AuthLDAPURL (|("ldap://localhost/ou=develop,dc=company,dc=com?cn")("ldap://localhost/ou=testing,dc=company,dc=com?cn"))
require valid-user
######

when restart apache ,there is the failed message:
----------------------------------------------------------------------------------
Starting httpd: Syntax error on line 44 of /etc/httpd/conf.d/application_auth.conf:
The scheme was not recognised as a valid LDAP URL scheme.
----------------------------------------------------------------------------------

can you tell me how to write two dns in a url ? or other methods to make a couple of groups authorize to a same application?

thank you very much,and any help is appreciative.

rok,
Well, you're using the wrong syntax for specifying redundant LDAP servers. The Apache documentation says that you use one AuthLDAPUrl directive and in its value, you separate the redundant LDAP servers with a space. Here is the direct link: http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl Apache's documentation is very in depth and should be consulted anytime you're working with Apache.

Take care,

Jeremy

If any of you downloaded the sync_ldap_groups_to_svn_authz-*.tar.gz from http://www.thoughtspark.org/node/26 before this comment's post date, you need to update your installation. There was a bug found in versions prior to 1.0.2 that broke the support for nested groups. Please redownload the latest sync_ldap_groups_to_svn_authz-*.tar.gz, which is version 1.0.2 right now.

hi Jeremy,

i havenot download the sync_ldap_groups_to_svn_authz-*.tar.gz before ,maybe i should try it .i ever thought it's no necessary to install it because my goal is just make users in two groups which in my LDAP server could access subvertion or another directory in Apahce's RootDocument.just access it but not read write or other permissions.

however,i will try it ,and thank you for the helpful advice ,i really should read the Apache's documentation with more care.

additional remarks,the two groups are in one LDAP Server ,such as below:
LDAP Server:

company.com
|-----develop
|-----testing
|-----other groups

Apache's RootDocument:
localhost
|---subvertion
|---directory1(folder)
|---directory2(folder)
|---......
|---directoryN(folder)

and my goal is only users in develop and testing (develop+testing,not both in two)could access a directory ,for example the directory is subvertion,the subvertion could be seen just a folder under the Apache's RootDocument.

rok,
The tip about the new version of the sync_ldap_groups_to_svn_authz was for the general public, not you. :) I hope you do use it if it has value for you but it was completely unrelated. Sorry if there was any confusion.

Jeremy,

Ok,I really thank you for the help and maybe I will use your script for a more practical application later. That's was a next stage of my work.

I am sorry to disappoint your hope. Yeah ,thanks for the reply and it's give me a lot of courage to solve my problem, though still in mind air.

Hi Jeremy,
I wanted to use Directory groups for SVN Authorization (path based access control) without copying the groups from directory services to AuthzSVNAccessFile. Is that possible?

decafc,
Yes. You can use my Python script here:

http://www.thoughtspark.org/node/26

It is documented, tested and working. Let me know how it treats you.

Take care,

Jeremy

Thanks for your quick response !
I already went through your website. Your script is copying the group info from Directory service to AuthzSVNAccessFile. But what I am trying to achieve is authorize a person thro Apache directly checking with Directory service to see if that person is part of some group. It is like, I don't want to maintain the group info in AuthzSVNAccessFile, however, I will have the group name and the repo to which this group has access in AuthzSVNAccessFile.

What configuration has to happen on Windows/AD end to allow for LDAP or am I missing something? Confused!

Dave

Dave,
The configuration above *is* for Active Directory. Are you running into troubles?

Take care,

Jeremy

I'm new to SVN & LDAP. Doesn't there have be a user/pw that AD knows about? What can I use to test communication from Sun to AD (to list users/groups/etc?)

Dave,
If you read the blog above, you'll get your answer. In the configuration, which you could just copy/paste/refactor, it has the username/password used to "bind" to the directory server, which in this case is an Active Directory instance. To test, just use any LDAP browsing tool. Google "LDAP Browser" and you see many that are free/open source that you can try right now.

Take care,

Jeremy

But doesn't the "bind" user need to be in AD & a pw set?

where do I find mod_ldap.so in ColabNet's packages?

The Apache modules are all statically compiled in. So they are there, you just do not see the .so

Hi Jeremy,
Please answer my question posted above.
I don't want to copy the DS group info to AuthzSVNAccessFile because there are many groups in DS. So, is there a way I can do the authorization directly in DS. Or is there a way, where I can specify the groups which alone needs to be copied to AuthzSVNAccessFile ?

decafc,
Well, Apache let's you use a "Require ldap-group" but it's only blanket level authorization. As for specifying which groups could be brought over, you can create any LDAP query that you need to restrict what constitutes a valid group to bring over via my script. The --help output should give you an idea of what things you can tweak. You can also just point the script at a lower path in the directory as well.

Take care,

Jeremy

Thanks for the great article. I confirm that it worked almost out-of-the-box with Debian 5 Lenny.
Just as a note, a mistake that could be quite common (at least I did it :P ): don't forget to set repos permissions according to the Apache user. Apache must be able to phisically write in the repo directories or commits won't work.
Thanks again for this guide

Hi. I just installed the most recent copy of CollabNet Subversion on RHEL5 as well as on Solaris 10. I was trying to get the LDAP/AD authentication going but the config errors out saying that it could not find the modules from these lines:

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

I ran a find on the system and those files are not found. Do I need to install LDAP separately? Thanks.

No. For the CollabNet binaries, the ldap modules are built into httpd statically. In that case, you can omit the two LoadModule lines.

I had to remove the lines for:

# Load Apache LDAP modules
# Load Subversion Apache Modules

I Finally got it working with our AD servers. Thanks again!

One more thing... Do you happen to know the syntax to rotate the svn logs...

CustomLog logs/svn_logfile "%t %u %{SVN-ACTION}e" env=SVN-ACTION

Thanks.

Something odd here. We've got our svn test server on a Fedora 9 box, everything works fine. I setup the production one on Centos 5 and all was fine until we turned on the LDAP auth. I used exactly the same config file from Fedora, made sure all modules were on, etc. and it doesn't work. However, when I sniff the traffic from the Centos -> LDAP server I see coming back:

LDAP searchResDone(3) success

So it appears the LDAP server (OSX openldap) is saying that it's all good, but yet SVN still complains. The only restriction I have is Require valid-user.

Anyone have any idea why CentOS would fail?

Thanks!
Dan

Hi,

Thanks for the tuto.

But if the LDAP return the error code 773 "User must reset password"

how do you intercept this error ?
how do you manager this error ?

can Apache or Subversion help the user to change the password ?

Thanks

Too bad i didn't have this post 2 years ago when i setup our subversion to authenticate on our eDirectoy tree.

IFora,
Neither Subversion or Apache will assist you in changing your password. I'd hope that the Apache error message would tell you this error occurred but if it doesn't, I'm not sure what you could do other than checking the Apache logs to see why what you think a valid set of login credentials didn't work.

Charles,
I'm glad that it appears to be helpful to you.

When I login to svn via apache I have to authenticate very often again. That's not usable. How can one stop that? So Apache remembers that I have alreadey authenticated?

Thanks
Heinz

What are you using to access the repository? If you're using a Subversion client, the client should cache your credentials unless you tell it otherwise. If you're not using a Subversion client, like a web browser, it's really up to the tool to cache credentials. Can you tell more about your setup?

Using Eclipse 3.3.0 and when clicking on every Plus in the Browser Tree, I am asked for credentials. I can Klick "Save Password", but then it's stored on the disk and i do not want that.

Using tortoisesvn 1.6.2 vor svn checkout, svn commit, svn update I am asked explicitly for credentials again.

Here is my dav_svn.conf:

RedirectMatch ^(/svn)$ $1/
CustomLog logs/svn_logfile "%t %u %{SVN-ACTION}e" env=SVN-ACTION

DAV svn
SVNParentPath /var/svn
SVNListParentPath On
SVNAutoversioning On
SVNReposName "Subversion Repository"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://ldapserver.domain.tld:9389/ou=People,o=company"
AuthType Basic
AuthName "Subversion Authentication"
Require user xuser yuser zuser

Eclipse 3.3.0 with Subclipse 1.6.x Plugin

Client OS: Window$ XP

Server:
Subversion Server 1.4.2
OS Linux

Heinz,
This is not a server configuration thing. No matter how you have your server configured, it's the Subversion client that dictates credential caching. Subversion by default caches your credentials, encrypted on Windows an OS X, on your filesystem. If you do not want that, you have to explicitly tell your client not to do that. If your Subversion client has cached your credentials and you do not want that, search for the file with the cached credentials in %APPDATA%/Subversion/auth/ based on the url and then delete that file. This is a client-side issue and has nothing to do with your server configuration.

I have installed usvn on Ubunto, I have an LDAP server and a samba server installed on ubunto too. How can I authenticate the subversion by LDAP?? thanks for helping

Our LDAP has our users authenticating via their "Uid" which is a simple empoloyee number. This causes all of our commit logs to be hard to determine who-did-what. Is there a way to have the svn committer be a different ldap field than the one they use for their svn --username? In our case I'd like to use a concatenation of the user's "givenName" and "sn" fields or, if that's not possible, their "mail" field would suffice.

Eric,
What I've seen is people using the post-commit hook to handle this. What you can do is use svnlook to get the author of the newly created revision, look it up in LDAP, get the preferred name to display/store in Subversion and then update the svn:author revision property for the newly created revision with the preferred username. Shouldn't be too hard with a little python and python-ldap.

Take care,

Jeremy

Does anyone have experience with Subversion with Apache and SLAPD? I am trying to encrypt over SSL and am not sure of the correct way to configure LDAP, Subversion and/or HTTPD and SLAPD. Thanks

I have a test server with the following code in the httpd.conf file.
It's Apache 2.2.9 on Ubuntu Linux.

AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "My Subversion server"
AuthLDAPURL
"ldap://my.server:389/DC=mydepartment,DC=myschool,DC=edu?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "mylockeddownuser@mydepartment.myschool.edu"
AuthLDAPBindPassword mypassword
require valid-user

Under this setup, everything works fine.

However, if you put in the exact same code in the httpd.conf file on
Windows Server 2008 enterprise with Apache 2.2.11, it does not work.

Any ideas?

Rowland,
If you could quantify "does not work", that would be helpful. Are you seeing errors in the Apache logs? I'd need more information since in theory, an Apache Location block should work the same on different operating systems assuming the major Apache version is the same, which in your case it is. I'll need more information.

Take care,

Jeremy

Hi Jeremy.

Thank you for the fast reply. I've tried several different browsers (Firefox, Opera, IE8) with the same results.

When I access the website hosted on the Win2K8 machine, I receive a 500 error:

Server error!

The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there was an error in a CGI script.

If you think this is a server error, please contact the webmaster.
Error 500
My IP address
10/27/09 15:31:49
Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9

The Apache log lists:

Content-language: en
Content-type: text/html; charset=ISO-8859-1
Body:----------en--

This server could not verify that you are authorized to access
the URL "".
You either supplied the wrong credentials (e.g., bad password), or your
browser doesn't understand how to supply the credentials required.

In case you are allowed to request the document, please
check your user-id and password and try again.

Thank you again for your help.

Why don't we take this to a forum so you can paste your configuration. (http://subversion.open.collab.net/ds/viewForumSummary.do?dsForumId=3)

Hi apache 2.2.* configuration file have some problem.

"AuthLDAPAuthoritative on" have to be change like "AuthzLDAPAuthoritative on".

Other than great tutorial, worked for me.

Thanks..
Regards..

I got this to work with two important changes:

Create a file called /subversion/apache2/auth/repos.acl with contents:

[/]
* = rw

Change

AuthLDAPBindDN "CN=ldapuser,CN=Users,DC=your,DC=domain"

to

AuthLDAPBindDN "username@your.domain"

Hello,

I have set up the SVN server using Apache (LDAP+SSL). When i try to login through the Tortoise SVN client i face issues in logging in with the following error in logs "auth_ldap authenticate: user abc authentication failed; URI /test [ldap_search_ext_s() for user failed][Operations Error]"
Wen i restart my machine i am able to login successfully.

Apache(httpd.conf) configuration below.
##################
#Subversion configuration - Enable LDAP

DAV svn
SVNPath C:/svnroot/test
#Do basic password authentication in the clear
AuthType Basic
AuthName "Subversion Repository"
#Make LDAP the authentication mechanism
AuthBasicProvider "ldap"
#Options FollowSymLinks
Order allow,deny
Allow from all
#The LDAP query URL
AuthLDAPURL "ldap://server.example.com:389/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"
#Make LDAP authentication is final
AuthzLDAPAuthoritative off
#Active Directory requires an authenticating DN to access records
AuthLDAPBindDN "abc@example.com"
#This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword "mypasswd123"
AuthzSVNAccessFile C:/etc/svn-acl_intel
Require valid-user

##################

Secondly, I do not want to keep the password "AuthLDAPBindPassword "mypasswd123" ". Is there a way where I can take the password as input?

Please let me know if there is any solution to the above problem.

Thanks
-Megha

Megha,
If things work after a reboot, that leads me to believe that you didn't restart Apache after you made changes to your Apache configuration and the reboot basically restarted Apache. As for storing the AuthLDAPBindPassword in clear text within httpd.conf, there is no other option. Since servers are usually secured properly, most don't have to worry about the password being in clear text. But if you want another level of security, just create a "service account" user and have that user in your configuration.

Take care,

Jeremy