Subversion configured for Windows Active Directory HTTPS

If you want to set up a subversion server on a windows machine that recognizes users from Microsoft Active Directory and uses secure http (https) to communicate with clients you can use the following setup as a template for your configuration.

Steps to follow:

1) Download and install Apache 2.2 + open SSL from http://www.apache.org. Do use Apache 2.2 instead of Apache 2.0 if you want to connect to Active Directory

2) Download the apache 2.2 binary compatible version of svn from http://svn.tigris.org

3) Copy all dll's and modules (.so files) from subversion/bin directory to the apache2.2 /modules directory

4) Copy an existing svn repository or create a new repository COPY: cd "c:\program files\subversion\bin" svnadmin hotcopy //computer/share/subversion/repositories/repo1 c:/subversion/repositories/repo1 CREATE: svnadmin create c:/subversion/repositories/repo1

5) Create a authorization file: svn.authz [groups] group1 = harry,sally group2 = romeo,julia group3 = sally,julia
 * 1) This file is an example authorization file for svnserve.
 * 2) Its format is identical to that of mod_authz_svn authorization
 * 3) files.
 * 4) As shown below each section defines authorizations for the path and
 * 5) (optional) repository specified by the section name.
 * 6) The authorizations follow. An authorization line can refer to a
 * 7) single user, to a group of users defined in a special [groups]
 * 8) section, or to anyone using the '*' wildcard.  Each definition can
 * 9) grant read ('r') access, read-write ('rw') access, or no access

[/] @group1 = rw 6) Create a SSL certificate
 * = r

- Openssl.exe included with this version of Apache 2.2 does not seem to be configured well on windows. In order to create a certificate, you need a well configured version of openssl. For this example configuration of subversion with https, file Openssl-0.9.7e-Win32.zip combined with file openssl.conf were downloaded from support.etouch.net - run the following commands openssl req -config openssl.cnf -new -out svn.example.com.csr openssl rsa -in privkey.pem -out svn.example.com.key openssl x509 -in svn.example.com.csr -out svn.example.com.cert -req -signkey svn.example.com.key -days 1000 - copy the resulting *.cert and *.key files to the apache2.2/conf directory

7) Edit apache/conf/httpd.conf LoadModule dav_module modules/mod_dav.so LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so LoadModule ldap_module modules/mod_ldap.so LoadModule ssl_module modules/mod_ssl.so

 SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile conf/svn.example.com.cert SSLCertificateKeyFile conf/svn.example.com.key SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0
 * 1) 
 * 2)    SSLOptions +StdEnvVars
 * 3) 
 * 4) 
 * 5)    SSLOptions +StdEnvVars
 * 6) 

RedirectMatch ^(/repos)$ $1/
 * 1) redirect /repos to /repos/

 DAV svn # SVNPath c:/subversion/repositories/repo1 SVNParentPath c:/subversion/repositories SVNListparentPath on Order allow,deny Allow from all AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthName "svn.example.com" AuthzSVNAccessFile c:/subversion/repositories/svn.authz

#at least one of your domain servers listens on port 3268 (besides default ldap port 389) #use the server that listens on port 3268 if you have more than one AD server. The service #on port 389 uses referrals to the other AD servers. Referrals are used anonymously. Anonymoys #binding will not work on most AD-servers. AuthLDAPURL "ldap://dc.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)"

#this assumes you have created a dedicated bind user "apache_bind" on your active directory AuthLDAPBindDN "CN=apache_bind,CN=users,DC=example,DC=com"

#warning: this password for AD apache_bind user is in plain text! AuthLDAPBindPassword [password_for_ad_user_apache_bind]

#AuthLDAPFollowReferrals off AuthLDAPGroupAttributeIsDN on AuthLDAPGroupAttribute member SSLRequireSSL #require ldap-group CN=svnusers,CN=Users,DC=example,DC=com require valid-user  

8) Apply ldap patch for MS-AD

When a Microsoft Active Directory times out, it sends a TCP RST instad of a TCP FIN to the client. There is a workaround for this MS AD bug in Apache mod_ldap, see http://www.apachelounge.com/forum/viewtopic.php?t=1995 or download http://www.anneb.dds.nl/httpd-2.2.6_ldappatch_win32_vc6.zip Replace apache modules mod_lap.so and mod_authnz_ldap.so with the files from the downloaded zip file. This configuration allows you to add more than one repository in directory c:/subversion/repositories. All repositories are listed in the browser using URL https://svn.example.com/repos. User names and passwords are validated against Active Directory. Standard svn clients can not browse the list of repositories. Instead you should use the full path to a particular repository, for instance https://svn.example.com/repos/repo1.

9) Binary files cannot be easily merged. The lock-modify-unlock versioning model seems to be the only appropriate model for these type of files. Follow the instructions in [Setting up lock-modify-unlock This description also includes client and server side configuration to accommodate for the lock-modify-unlock model for binary files.

9) Force users to set svn:needs-lock property on new binary files

Binary files cannot be merged. Versioning should follow the lock-modify-unlock model. You can force using this model for binary files following the description on how to setup Automatic lock-modify-unlock.