1

Subversion with Apache and LDAP

The purpose of the Definitive Guide is to provide a single location for questions for Apache 2.0.x
and 2.2.x, while also providing more depth about things to consider when building your Apache
based !ubversion server using "#A$ for authentication.
The Configuration
%or those of you that &ust want to get to the point, where you can copy and paste and move on, here
you go'
Example Apache !!x Configuration Snippet
# Load Apache LDAP modules
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
# Load Subversion Apache Modules
LoadModule dav_svn_module modules/mod_dav_svn.so # Use full path to
SU!"#S$%&_'%M"/bin/mod_dav_svn.so on (indo)s
LoadModule authz_svn_module modules/mod_authz_svn.so # Use full path to
SU!"#S$%&_'%M"/bin/mod_authz_svn.so on (indo)s
# (or* around authz and S!&ListParentPath issue
#edirectMatch +,/repos-. .//
# "nable Subversion lo00in0
1ustomLo0 lo0s/svn_lo0file 23t 3u 34S!&5A16$%&7e2 env8S!&5A16$%&
9Location /repos/:
# "nable Subversion
DA! svn
# Director; containin0 all repositor; for this path
S!&ParentPath /subversion/svn5repos
# List repositories colleciton
(ollab)et !ubversion !ubversion with Apache and "#A$
2
S!&ListParentPath %n
# "nable (ebDA! automatic versionin0
S!&Autoversionin0 %n
# #epositor; Displa; &ame
S!&#epos&ame 2<our Subversion #epositor;2
# Do basic pass)ord authentication in the clear
Auth6;pe asic
# 6he name of the protected area or 2realm2
Auth&ame 2<our Subversion #epositor;2
# Ma*e LDAP the authentication mechanism
AuthasicProvider ldap
# Ma*e LDAP authentication is final
AuthzLDAPAuthoritative on
# Active Director; re=uires an authenticatin0 D& to access records
AuthLDAPindD& 21&8ldapuser>1&8Users>D18;our>D18domain2
# 6his is the pass)ord for the AuthLDAPindD& user in Active Director;
AuthLDAPindPass)ord ldappass)ord
# 6he LDAP =uer; U#L
AuthLDAPU#L 2ldap?//;our.domain?@AB/D18;our>D18domainCsAMAccount&ameCsubC
,obDect1lass8E-2
# #e=uire a valid user
#e=uire valid5user
# Authorization file
AuthzS!&AccessFile /subversion/apacheG/auth/repos.acl
(ollab)et !ubversion !ubversion with Apache and "#A$
*
9/Location:
Example Apache !"!x Configuration Snippet
# Load Apache LDAP modules
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
# Load Subversion Apache Modules
LoadModule dav_svn_module modules/mod_dav_svn.so # Use full path to
SU!"#S$%&_'%M"/bin/mod_dav_svn.so on (indo)s
LoadModule authz_svn_module modules/mod_authz_svn.so # Use full path to
SU!"#S$%&_'%M"/bin/mod_authz_svn.so on (indo)s
# (or* around authz and S!&ListParentPath issue
#edirectMatch +,/repos-. .//
# "nable Subversion lo00in0
1ustomLo0 lo0s/svn_lo0file 23t 3u 34S!&5A16$%&7e2 env8S!&5A16$%&
9Location /repos/:
# "nable Subversion
DA! svn
# Director; containin0 all repositor; for this path
S!&ParentPath /subversion/svn5repos
# List repositories colleciton
S!&ListParentPath %n
# "nable (ebDA! automatic versionin0
S!&Autoversionin0 %n
# #epositor; Displa; &ame
S!&#epos&ame 2<our Subversion #epositor;2
(ollab)et !ubversion !ubversion with Apache and "#A$
+
# LDAP Authentication is final
AuthLDAPAuthoritative on
# Do basic pass)ord authentication in the clear
Auth6;pe asic
# 6he name of the protected area or 2realm2
Auth&ame 2<our Subversion #epositor;2
# Active Director; re=uires an authenticatin0 D& to access records
AuthLDAPindD& 21&8ldapuser>1&8Users>D18;our>D18domain2
# 6his is the pass)ord for the AuthLDAPindD& user in Active Director;
AuthLDAPindPass)ord ldappass)ord
# 6he LDAP =uer; U#L
AuthLDAPU#L 2ldap?//;our.domain?@AB/D18;our>D18domainCsAMAccount&ameCsubC
,obDect1lass8E-2
# #e=uire authentication
#e=uire valid5user
# Authorization file
AuthzS!&AccessFile /subversion/apacheG/auth/repos.acl
9/Location:
#The configurations above were for pointing to an Active Director$ #AD% server!
&nderstanding the Configuration
!o...the above Apache configurations are what , personally use when building an Apachebased
server. -bviously there are changes that need to be made depending on the environment in but for
now, it.s a great start. To ma/e the best of this opportunity, let.s tal/ about the miscellaneous parts of
the configuration.
S'(ListParentPath and Subversion)s auth*
-ne of the first problems people run into when building an Apachebased !ubversion server is
when they want to have mod0dav0svn serve a list of repositories. 1verything wor/s fine until they
enable !ubversion.s authori2ation 3auth24 support. 5hat happens is the server will be configured
(ollab)et !ubversion !ubversion with Apache and "#A$
6
properly and secured properly but when you go to the repository collection list, which in our case is
http'77localhost7repos, you are forbidden to view the collection even if you have access. 5ell, with
the +edirect,atch closer to the top of the configuration, you fix this issue. 8ow you might be
as/ing and the reason is that when you enable auth2, you must have a trailing slash at the end of the
collection url. 5ith the 9edirect:atch, we automatically redirect urls to the collection listing when
there is no trailing slash. $roblem solved.
Custom Subversion Logging
!ubversion uses Apache.s 5eb#A; support for providing access to its repositories when using
Apache. <nfortunately, when you loo/ at Apache.s access logs to try and see your !ubversion
usage, you end up with a lot of 5eb#A; communication being logged and you only see a portion
of the actual client7server communication. This is because mod0dav0svn uses Apache subrequests
and Apache does not log subrequests. 1ven if it did, turning the !ubversion communication in the
Apache access log into something meaningful would be nearly impossible. That being said, the
configuration above has been setup to use one of !ubversion.s features' Apache "ogging which
ta/es the guess wor/ out.
Subversion Configuration
The other !ubversionspecific parts of the Apache configuration are pretty selfexplanitory. To
summari2e what is enabled with the above'
!;)"ist$arent$ath' 1nables the ability to browse the location root and get a list of
repositories being served by that url base
!;)Autoversioning' 1nables the use of 5eb#A; clients to ma/e changes to the repository
contents without using a !ubversion client
!;)$arent$ath' 1nables serving ) number of repositories for the url base
!;)9epos)ame' 1nables you to put in your own text to be visible in the web browser when
browsing your repository contents via the builtin repository browser provided by
mod0dav0svn
Auth2!;)Access%ile' Tells !ubversion.s mod0auth20svn module where to find the auth2
file.
%or more details about the !ubversionspecific Apache directives, and a list of even more ways you
can configure your Apachebased !ubversion server, view the mod0dav0svn and the
mod0auth20svn documentation.
LDAP Configuration
The "#A$ portion of the Apache configuration is where most people run into problems. That being
said, we.ll spend a little more time explaining the Apache "#A$ configuration. The most important
thing to note is the subtle differences between Apache 2.0.x and Apache 2.2.x'
Apache G.H.I J Apache G.G.I
55555555555555555555555555555555555555555555555
AuthLDAPAuthoritative J AuthzLDAPAuthoritative
AuthLDAPindD& J AuthLDAPindD&
(ollab)et !ubversion !ubversion with Apache and "#A$
=
AuthLDAPindPass)ord J AuthLDAPindPass)ord
AuthLDAPU#L J AuthLDAPU#L
J AuthasicProvider
>ou should note that the Apache "#A$ module names have also changed between Apache 2.0.x
and 2.2.x. )ow that we see the naming changes, let.s tal/ about how to properly use these Apache
directives to get the "#A$based authentication you.re loo/ing for. #- will be using the Apache
!!x names for the Apache directives! -f $ou)re still using Apache !"!x. please refer to the
table above for how to ta/e m$ documentation and appl$ it to Apache !"!x!%
Auth2"#A$Authoritative' Tells Apache whether or not a failed authentication request can be
passed to other Apache modules
Auth"#A$?ind#)' The distinguished name of the user account that Apache will use to
connect to the directory system to perform its user authentication
Auth"#A$?ind$assword' The password for the user account configured via the
Auth"#A$?ind#) directive
Auth"#A$<9"' This is a url that tells where the directory server is, where to loo/ for users
at, what user attribute is used to identify a user and other miscellaneous things specific to the
"#A$ query syntax 3:ore on this later.4
Auth?asic$rovider' This tells Apache which authentication module you want to use for
?asic authentication
All of the directives above are pretty straight forward except for the AuthLDAP&+L directive.
This directive we will discuss in more detail below. %or any other Apache configuration questions,
please resort to the Apache #ocumentation for your respective Apache version.
The LDAP 0uer$ &+L
%or most, the AuthLDAP&+L directive is the most challenging to understand. There is good
reason for this. That one directive actually consists of =@ pieces of information that will be different
for each !ubversion server. "et.s brea/ our example AuthLDAP&+L into its pieces and discuss the
importance, and nuances, of each.
%or simplicity, here is the url again, in its entirety' ldap'77your.domain'*AB7#(Cyour,#(CdomainD
sA:Account)ameDsubD3ob&ect(lassCE4
<rl scheme' FldapG This is nothing more than a url scheme. ,t will usually be either .ldap. or
.ldaps. in the event that you.re using !!" for accessing your directory server.
8ostname' Fyour.domainG This is the ip address or hostname of your directory server.
$ort' F*ABG This is the port the server is listening on for directory server communication.
!earch ?ase' F#(Cyour,#(CdomainG This is the distinguished name to the path in the
directory tree that you want to search for users.
<sername attribute' FsA:Account)ameG This is the attribute contains the login name being
used.
Huery scope' FsubG This tells the directory server what type of query to perform.
%ilter' F3ob&ect(lassCE4G This tells the directory server to filter the query for ob&ects
matching a particular filter
%or more details on constructing an ldap url, which is a standard and not specific to Apache, view
9%( 2266.
(ollab)et !ubversion !ubversion with Apache and "#A$
I
1or/ing with Active Director$
Active #irectory is /nown as a ,ulti2,aster Director$ S$stem. This being said, each directory
server in A# does not always have all the necessary information to perform all directory server
requests. The best way to handle this is to have Apache query a Global Catalog. A Jlobal (atalog
server has the ability to search at the whole forest for users. This means if you want to do domain
wide searches or larger, you need to point to a Jlobal (atalog and you need to update your Apache
configuration accordingly. 5hen using a Jlobal (atalog, you should be using port *2=A when
performing your queries.
Searching for &sers
,n the example url above, the sA,Account(ame attribute is used to identify the username. This
attribute is 5indows7Active #irectory specific so for those of you using -pen"#A$ or another
option, that attribute probably will not exist. (hange your attribute accordingly. An example is if
you wanted to use the Common (ame to login, you could specify K()K as the attribute.
LDAP 0uer$ Tuning
The last thing we will tal/ about is the ability to use filters to ma/e your "#A$ query a little more
specific. ,n the example url above we used K3ob&ect(lassCE4K, which will search for all ob&ects. ,f
you /now that you only want to search for a particular ob&ect type, li/e the KuserK type, you could
use K3ob&ect(lassCuser4K instead.
Conclusion
?uilding an Apachebased !ubversion server with "#A$ as the authentication mechanism can be
daunting for some. , hope this has made things easier for you.
(ollab)et !ubversion !ubversion with Apache and "#A$