The purpose of the Definitive Guide is to provide a single location for questions for Apache 2.0.x and 2.2.x, while also providing more depth about things to consider when building your Apache based !ubversion server using "#A$ for authentication. The Configuration %or those of you that &ust want to get to the point, where you can copy and paste and move on, here you go' Example Apache !!x Configuration Snippet # Load Apache LDAP modules LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so # Load Subversion Apache Modules LoadModule dav_svn_module modules/mod_dav_svn.so # Use full path to SU!"#S$%&_'%M"/bin/mod_dav_svn.so on (indo)s LoadModule authz_svn_module modules/mod_authz_svn.so # Use full path to SU!"#S$%&_'%M"/bin/mod_authz_svn.so on (indo)s # (or* around authz and S!&ListParentPath issue #edirectMatch +,/repos-. .// # "nable Subversion lo00in0 1ustomLo0 lo0s/svn_lo0file 23t 3u 34S!&5A16$%&7e2 env8S!&5A16$%& 9Location /repos/: # "nable Subversion DA! svn # Director; containin0 all repositor; for this path S!&ParentPath /subversion/svn5repos # List repositories colleciton (ollab)et !ubversion !ubversion with Apache and "#A$ 2 S!&ListParentPath %n # "nable (ebDA! automatic versionin0 S!&Autoversionin0 %n # #epositor; Displa; &ame S!&#epos&ame 2<our Subversion #epositor;2 # Do basic pass)ord authentication in the clear Auth6;pe asic # 6he name of the protected area or 2realm2 Auth&ame 2<our Subversion #epositor;2 # Ma*e LDAP the authentication mechanism AuthasicProvider ldap # Ma*e LDAP authentication is final AuthzLDAPAuthoritative on # Active Director; re=uires an authenticatin0 D& to access records AuthLDAPindD& 21&8ldapuser>1&8Users>D18;our>D18domain2 # 6his is the pass)ord for the AuthLDAPindD& user in Active Director; AuthLDAPindPass)ord ldappass)ord # 6he LDAP =uer; U#L AuthLDAPU#L 2ldap?//;our.domain?@AB/D18;our>D18domainCsAMAccount&ameCsubC ,obDect1lass8E-2 # #e=uire a valid user #e=uire valid5user # Authorization file AuthzS!&AccessFile /subversion/apacheG/auth/repos.acl (ollab)et !ubversion !ubversion with Apache and "#A$ * 9/Location: Example Apache !"!x Configuration Snippet # Load Apache LDAP modules LoadModule ldap_module modules/mod_ldap.so LoadModule auth_ldap_module modules/mod_auth_ldap.so # Load Subversion Apache Modules LoadModule dav_svn_module modules/mod_dav_svn.so # Use full path to SU!"#S$%&_'%M"/bin/mod_dav_svn.so on (indo)s LoadModule authz_svn_module modules/mod_authz_svn.so # Use full path to SU!"#S$%&_'%M"/bin/mod_authz_svn.so on (indo)s # (or* around authz and S!&ListParentPath issue #edirectMatch +,/repos-. .// # "nable Subversion lo00in0 1ustomLo0 lo0s/svn_lo0file 23t 3u 34S!&5A16$%&7e2 env8S!&5A16$%& 9Location /repos/: # "nable Subversion DA! svn # Director; containin0 all repositor; for this path S!&ParentPath /subversion/svn5repos # List repositories colleciton S!&ListParentPath %n # "nable (ebDA! automatic versionin0 S!&Autoversionin0 %n # #epositor; Displa; &ame S!&#epos&ame 2<our Subversion #epositor;2 (ollab)et !ubversion !ubversion with Apache and "#A$ + # LDAP Authentication is final AuthLDAPAuthoritative on # Do basic pass)ord authentication in the clear Auth6;pe asic # 6he name of the protected area or 2realm2 Auth&ame 2<our Subversion #epositor;2 # Active Director; re=uires an authenticatin0 D& to access records AuthLDAPindD& 21&8ldapuser>1&8Users>D18;our>D18domain2 # 6his is the pass)ord for the AuthLDAPindD& user in Active Director; AuthLDAPindPass)ord ldappass)ord # 6he LDAP =uer; U#L AuthLDAPU#L 2ldap?//;our.domain?@AB/D18;our>D18domainCsAMAccount&ameCsubC ,obDect1lass8E-2 # #e=uire authentication #e=uire valid5user # Authorization file AuthzS!&AccessFile /subversion/apacheG/auth/repos.acl 9/Location: #The configurations above were for pointing to an Active Director$ #AD% server! &nderstanding the Configuration !o...the above Apache configurations are what , personally use when building an Apachebased server. -bviously there are changes that need to be made depending on the environment in but for now, it.s a great start. To ma/e the best of this opportunity, let.s tal/ about the miscellaneous parts of the configuration. S'(ListParentPath and Subversion)s auth* -ne of the first problems people run into when building an Apachebased !ubversion server is when they want to have mod0dav0svn serve a list of repositories. 1verything wor/s fine until they enable !ubversion.s authori2ation 3auth24 support. 5hat happens is the server will be configured (ollab)et !ubversion !ubversion with Apache and "#A$ 6 properly and secured properly but when you go to the repository collection list, which in our case is http'77localhost7repos, you are forbidden to view the collection even if you have access. 5ell, with the +edirect,atch closer to the top of the configuration, you fix this issue. 8ow you might be as/ing and the reason is that when you enable auth2, you must have a trailing slash at the end of the collection url. 5ith the 9edirect:atch, we automatically redirect urls to the collection listing when there is no trailing slash. $roblem solved. Custom Subversion Logging !ubversion uses Apache.s 5eb#A; support for providing access to its repositories when using Apache. <nfortunately, when you loo/ at Apache.s access logs to try and see your !ubversion usage, you end up with a lot of 5eb#A; communication being logged and you only see a portion of the actual client7server communication. This is because mod0dav0svn uses Apache subrequests and Apache does not log subrequests. 1ven if it did, turning the !ubversion communication in the Apache access log into something meaningful would be nearly impossible. That being said, the configuration above has been setup to use one of !ubversion.s features' Apache "ogging which ta/es the guess wor/ out. Subversion Configuration The other !ubversionspecific parts of the Apache configuration are pretty selfexplanitory. To summari2e what is enabled with the above' !;)"ist$arent$ath' 1nables the ability to browse the location root and get a list of repositories being served by that url base !;)Autoversioning' 1nables the use of 5eb#A; clients to ma/e changes to the repository contents without using a !ubversion client !;)$arent$ath' 1nables serving ) number of repositories for the url base !;)9epos)ame' 1nables you to put in your own text to be visible in the web browser when browsing your repository contents via the builtin repository browser provided by mod0dav0svn Auth2!;)Access%ile' Tells !ubversion.s mod0auth20svn module where to find the auth2 file. %or more details about the !ubversionspecific Apache directives, and a list of even more ways you can configure your Apachebased !ubversion server, view the mod0dav0svn and the mod0auth20svn documentation. LDAP Configuration The "#A$ portion of the Apache configuration is where most people run into problems. That being said, we.ll spend a little more time explaining the Apache "#A$ configuration. The most important thing to note is the subtle differences between Apache 2.0.x and Apache 2.2.x' Apache G.H.I J Apache G.G.I 55555555555555555555555555555555555555555555555 AuthLDAPAuthoritative J AuthzLDAPAuthoritative AuthLDAPindD& J AuthLDAPindD& (ollab)et !ubversion !ubversion with Apache and "#A$ = AuthLDAPindPass)ord J AuthLDAPindPass)ord AuthLDAPU#L J AuthLDAPU#L J AuthasicProvider >ou should note that the Apache "#A$ module names have also changed between Apache 2.0.x and 2.2.x. )ow that we see the naming changes, let.s tal/ about how to properly use these Apache directives to get the "#A$based authentication you.re loo/ing for. #- will be using the Apache !!x names for the Apache directives! -f $ou)re still using Apache !"!x. please refer to the table above for how to ta/e m$ documentation and appl$ it to Apache !"!x!% Auth2"#A$Authoritative' Tells Apache whether or not a failed authentication request can be passed to other Apache modules Auth"#A$?ind#)' The distinguished name of the user account that Apache will use to connect to the directory system to perform its user authentication Auth"#A$?ind$assword' The password for the user account configured via the Auth"#A$?ind#) directive Auth"#A$<9"' This is a url that tells where the directory server is, where to loo/ for users at, what user attribute is used to identify a user and other miscellaneous things specific to the "#A$ query syntax 3:ore on this later.4 Auth?asic$rovider' This tells Apache which authentication module you want to use for ?asic authentication All of the directives above are pretty straight forward except for the AuthLDAP&+L directive. This directive we will discuss in more detail below. %or any other Apache configuration questions, please resort to the Apache #ocumentation for your respective Apache version. The LDAP 0uer$ &+L %or most, the AuthLDAP&+L directive is the most challenging to understand. There is good reason for this. That one directive actually consists of =@ pieces of information that will be different for each !ubversion server. "et.s brea/ our example AuthLDAP&+L into its pieces and discuss the importance, and nuances, of each. %or simplicity, here is the url again, in its entirety' ldap'77your.domain'*AB7#(Cyour,#(CdomainD sA:Account)ameDsubD3ob&ect(lassCE4 <rl scheme' FldapG This is nothing more than a url scheme. ,t will usually be either .ldap. or .ldaps. in the event that you.re using !!" for accessing your directory server. 8ostname' Fyour.domainG This is the ip address or hostname of your directory server. $ort' F*ABG This is the port the server is listening on for directory server communication. !earch ?ase' F#(Cyour,#(CdomainG This is the distinguished name to the path in the directory tree that you want to search for users. <sername attribute' FsA:Account)ameG This is the attribute contains the login name being used. Huery scope' FsubG This tells the directory server what type of query to perform. %ilter' F3ob&ect(lassCE4G This tells the directory server to filter the query for ob&ects matching a particular filter %or more details on constructing an ldap url, which is a standard and not specific to Apache, view 9%( 2266. (ollab)et !ubversion !ubversion with Apache and "#A$ I 1or/ing with Active Director$ Active #irectory is /nown as a ,ulti2,aster Director$ S$stem. This being said, each directory server in A# does not always have all the necessary information to perform all directory server requests. The best way to handle this is to have Apache query a Global Catalog. A Jlobal (atalog server has the ability to search at the whole forest for users. This means if you want to do domain wide searches or larger, you need to point to a Jlobal (atalog and you need to update your Apache configuration accordingly. 5hen using a Jlobal (atalog, you should be using port *2=A when performing your queries. Searching for &sers ,n the example url above, the sA,Account(ame attribute is used to identify the username. This attribute is 5indows7Active #irectory specific so for those of you using -pen"#A$ or another option, that attribute probably will not exist. (hange your attribute accordingly. An example is if you wanted to use the Common (ame to login, you could specify K()K as the attribute. LDAP 0uer$ Tuning The last thing we will tal/ about is the ability to use filters to ma/e your "#A$ query a little more specific. ,n the example url above we used K3ob&ect(lassCE4K, which will search for all ob&ects. ,f you /now that you only want to search for a particular ob&ect type, li/e the KuserK type, you could use K3ob&ect(lassCuser4K instead. Conclusion ?uilding an Apachebased !ubversion server with "#A$ as the authentication mechanism can be daunting for some. , hope this has made things easier for you. (ollab)et !ubversion !ubversion with Apache and "#A$