Subversion configured for Windows Active Directory HTTPS: Difference between revisions

From SubversionWiki
Jump to navigation Jump to search
(New page: If you want to set up a subversion server on a windows machine that recognizes users from Microsoft Active Directory and uses secure http (https) to communicate with clients you can use th...)
 
No edit summary
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
If you want to set up a subversion server on a windows machine that recognizes users from Microsoft Active Directory and uses secure http (https) to communicate with clients you can use the following setup as a template for your configuration.  
If you want to set up a subversion server on a windows machine that recognizes users from Microsoft Active Directory and uses secure http (https) to communicate with clients you can use the following setup as a template for your configuration. Or download VisualSVN Server from http://www.visualsvn.com/server/ - it has https and Active Directory integration working out-of-the-box.  Another alternative to VisualSVN Server is uberSVN (http://www.ubersvn.com/download) which is a platform for Subversion and other ALM tools you can plug straight into it, this tool also comes with a wizard for simple install and maintenance. 


Binary files cannot be easily merged. The lock-modify-unlock versioning model seems to be the only appropriate model for these type of files. This description also includes client and server side configuration to accommodate for the lock-modify-unlock model for binary files.
Steps to follow:


Steps to follow
1) Download and install Apache 2.2 + open SSL from http://www.apache.org. Do use Apache 2.2 instead of Apache 2.0 if you want to connect to Active Directory


1) download and install Apache 2.2 + open SSL from www.apache.org
2) Download the apache 2.2 binary compatible version of svn from http://svn.tigris.org
Do use Apache 2.2 instead of Apache 2.0 if you want to connect to Active Directory


2) download the apache 2.2 binary compatible version of svn from http://svn.tigris.org
3) Copy all dll's and modules (.so files) from subversion/bin directory to the apache2.2 /modules directory


3) copy all dll's and modules (.so files) from subversion/bin directory to the apache2.2 /modules directory
4) Copy an existing svn repository or create a new repository
 
COPY:<pre>
4) copy an existing svn repository or create a new repository
COPY:
cd "c:\program files\subversion\bin"
cd "c:\program files\subversion\bin"
svnadmin hotcopy //computer/share/subversion/repositories/repo1 c:/subversion/repositories/repo1
svnadmin hotcopy //computer/share/subversion/repositories/repo1 c:/subversion/repositories/repo1</pre>
CREATE:
CREATE:
svnadmin create c:/subversion/repositories/repo1
<pre>svnadmin create c:/subversion/repositories/repo1</pre>


5) create a authorization file: svn.authz
5) Create a authorization file: svn.authz
### This file is an example authorization file for svnserve.
<pre>### This file is an example authorization file for svnserve.
### Its format is identical to that of mod_authz_svn authorization
### Its format is identical to that of mod_authz_svn authorization
### files.
### files.
Line 38: Line 35:
* = r
* = r
@group1 = rw
@group1 = rw
</pre>
6) Create a SSL certificate
- Openssl.exe included with this version of Apache 2.2 does not seem to be configured well on windows. In order to create a certificate, you need a well configured version of openssl. For this example configuration of subversion with https, file Openssl-0.9.7e-Win32.zip[http://support.etouch.net/cm/wiki/support.Downloads.wiki/1021721main_Openssl-0.9.7e-Win32.zip] combined with file openssl.conf[http://support.etouch.net/cm/wiki/support.Downloads.wiki/1021722main_openssl.cnf] were downloaded from support.etouch.net[http://support.etouch.net/cm/wiki/support.Downloads.wiki/home/Enabling%20SSL%20with%20Apache%20on%20Windows%202003%20for%20SamePage.html]
- run the following commands
<pre>openssl req -config openssl.cnf -new -out svn.example.com.csr
openssl rsa -in privkey.pem -out svn.example.com.key
openssl x509 -in svn.example.com.csr -out svn.example.com.cert -req -signkey svn.example.com.key -days 1000
</pre>
- copy the resulting *.cert and *.key files to the apache2.2/conf directory
7) Edit apache/conf/httpd.conf
<pre>
LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule ssl_module modules/mod_ssl.so
<VirtualHost _default_:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/svn.example.com.cert
SSLCertificateKeyFile conf/svn.example.com.key
#<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
#    SSLOptions +StdEnvVars
#</FilesMatch>
#<Directory "C:/Program Files/Apache Group/Apache2/cgi">
#    SSLOptions +StdEnvVars
#</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
#redirect /repos to /repos/
RedirectMatch ^(/repos)$ $1/
<Location /repos/>
  DAV svn
  # SVNPath c:/subversion/repositories/repo1
  SVNParentPath c:/subversion/repositories
  SVNListparentPath on
  Order allow,deny
  Allow from all
  AuthType Basic
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative off
  AuthName "svn.example.com"
  AuthzSVNAccessFile c:/subversion/repositories/svn.authz
  #at least one of your domain servers listens on port 3268 (besides default ldap port 389)
  #use the server that listens on port 3268 if you have more than one AD server. The service
  #on port 389 uses referrals to the other AD servers. Referrals are used anonymously. Anonymoys
  #binding will not work on most AD-servers.
  AuthLDAPURL "ldap://dc.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)"
  #this assumes you have created a dedicated bind user "apache_bind" on your active directory
  AuthLDAPBindDN "CN=apache_bind,CN=users,DC=example,DC=com"
  #warning: this password for AD apache_bind user is in plain text!
  AuthLDAPBindPassword [password_for_ad_user_apache_bind]
  #AuthLDAPFollowReferrals off
 
  AuthLDAPGroupAttributeIsDN on
  AuthLDAPGroupAttribute member
  SSLRequireSSL
  #require ldap-group CN=svnusers,CN=Users,DC=example,DC=com
  require valid-user
</Location>
</VirtualHost>
</pre>
8) Apply ldap patch for MS-AD
When a Microsoft Active Directory times out, it sends a TCP RST instad of a TCP FIN to the client. There is a workaround for this MS AD bug in Apache mod_ldap, see http://www.apachelounge.com/forum/viewtopic.php?t=1995 or download http://www.anneb.dds.nl/httpd-2.2.6_ldappatch_win32_vc6.zip
Replace apache modules mod_lap.so and mod_authnz_ldap.so with the files from the downloaded zip file. This configuration allows you to add more than one repository in directory c:/subversion/repositories. All repositories are listed in the browser using URL https://svn.example.com/repos. User names and passwords are validated against Active Directory. Standard svn clients can not browse the list of repositories. Instead you should use the full path to a particular repository, for instance https://svn.example.com/repos/repo1.
9) Binary files cannot be easily merged. The lock-modify-unlock versioning model seems to be the only appropriate model for these type of files. Follow the instructions in [Setting up lock-modify-unlock This description also includes client and server side configuration to accommodate for the lock-modify-unlock model for binary files.
9) Force users to set svn:needs-lock property on new binary files
Binary files cannot be merged. Versioning should follow the lock-modify-unlock model[http://svnbook.red-bean.com/en/1.4/svn.basic.vsn-models.html#svn.basic.vsn-models.lock-unlock]. You can force using this model for binary files following the description on how to setup [[Automatic lock-modify-unlock]].

Latest revision as of 17:02, 3 June 2011

If you want to set up a subversion server on a windows machine that recognizes users from Microsoft Active Directory and uses secure http (https) to communicate with clients you can use the following setup as a template for your configuration. Or download VisualSVN Server from http://www.visualsvn.com/server/ - it has https and Active Directory integration working out-of-the-box. Another alternative to VisualSVN Server is uberSVN (http://www.ubersvn.com/download) which is a platform for Subversion and other ALM tools you can plug straight into it, this tool also comes with a wizard for simple install and maintenance.

Steps to follow:

1) Download and install Apache 2.2 + open SSL from http://www.apache.org. Do use Apache 2.2 instead of Apache 2.0 if you want to connect to Active Directory

2) Download the apache 2.2 binary compatible version of svn from http://svn.tigris.org

3) Copy all dll's and modules (.so files) from subversion/bin directory to the apache2.2 /modules directory

4) Copy an existing svn repository or create a new repository

COPY:

cd "c:\program files\subversion\bin"
svnadmin hotcopy //computer/share/subversion/repositories/repo1 c:/subversion/repositories/repo1

CREATE:

svnadmin create c:/subversion/repositories/repo1

5) Create a authorization file: svn.authz

### This file is an example authorization file for svnserve.
### Its format is identical to that of mod_authz_svn authorization
### files.
### As shown below each section defines authorizations for the path and
### (optional) repository specified by the section name.
### The authorizations follow. An authorization line can refer to a
### single user, to a group of users defined in a special [groups]
### section, or to anyone using the '*' wildcard.  Each definition can
### grant read ('r') access, read-write ('rw') access, or no access
### ('').
[groups]
group1 = harry,sally
group2 = romeo,julia
group3 = sally,julia

[/]
* = r
@group1 = rw

6) Create a SSL certificate

- Openssl.exe included with this version of Apache 2.2 does not seem to be configured well on windows. In order to create a certificate, you need a well configured version of openssl. For this example configuration of subversion with https, file Openssl-0.9.7e-Win32.zip[1] combined with file openssl.conf[2] were downloaded from support.etouch.net[3]

- run the following commands

openssl req -config openssl.cnf -new -out svn.example.com.csr
openssl rsa -in privkey.pem -out svn.example.com.key
openssl x509 -in svn.example.com.csr -out svn.example.com.cert -req -signkey svn.example.com.key -days 1000

- copy the resulting *.cert and *.key files to the apache2.2/conf directory


7) Edit apache/conf/httpd.conf

LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule ssl_module modules/mod_ssl.so

<VirtualHost _default_:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/svn.example.com.cert
SSLCertificateKeyFile conf/svn.example.com.key
#<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
#    SSLOptions +StdEnvVars
#</FilesMatch>
#<Directory "C:/Program Files/Apache Group/Apache2/cgi">
#    SSLOptions +StdEnvVars
#</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


#redirect /repos to /repos/
RedirectMatch ^(/repos)$ $1/

<Location /repos/>
  DAV svn
  # SVNPath c:/subversion/repositories/repo1
  SVNParentPath c:/subversion/repositories
  SVNListparentPath on
  Order allow,deny
  Allow from all
	
  AuthType Basic
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative off
  AuthName "svn.example.com"
  AuthzSVNAccessFile c:/subversion/repositories/svn.authz

  #at least one of your domain servers listens on port 3268 (besides default ldap port 389)
  #use the server that listens on port 3268 if you have more than one AD server. The service
  #on port 389 uses referrals to the other AD servers. Referrals are used anonymously. Anonymoys
  #binding will not work on most AD-servers.
  AuthLDAPURL "ldap://dc.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)"

  #this assumes you have created a dedicated bind user "apache_bind" on your active directory
  AuthLDAPBindDN "CN=apache_bind,CN=users,DC=example,DC=com"

  #warning: this password for AD apache_bind user is in plain text!
  AuthLDAPBindPassword [password_for_ad_user_apache_bind]

  #AuthLDAPFollowReferrals off
  
  AuthLDAPGroupAttributeIsDN on
  AuthLDAPGroupAttribute member
  SSLRequireSSL
  #require ldap-group CN=svnusers,CN=Users,DC=example,DC=com
  require valid-user
</Location>
</VirtualHost>

8) Apply ldap patch for MS-AD

When a Microsoft Active Directory times out, it sends a TCP RST instad of a TCP FIN to the client. There is a workaround for this MS AD bug in Apache mod_ldap, see http://www.apachelounge.com/forum/viewtopic.php?t=1995 or download http://www.anneb.dds.nl/httpd-2.2.6_ldappatch_win32_vc6.zip Replace apache modules mod_lap.so and mod_authnz_ldap.so with the files from the downloaded zip file. This configuration allows you to add more than one repository in directory c:/subversion/repositories. All repositories are listed in the browser using URL https://svn.example.com/repos. User names and passwords are validated against Active Directory. Standard svn clients can not browse the list of repositories. Instead you should use the full path to a particular repository, for instance https://svn.example.com/repos/repo1.

9) Binary files cannot be easily merged. The lock-modify-unlock versioning model seems to be the only appropriate model for these type of files. Follow the instructions in [Setting up lock-modify-unlock This description also includes client and server side configuration to accommodate for the lock-modify-unlock model for binary files.


9) Force users to set svn:needs-lock property on new binary files

Binary files cannot be merged. Versioning should follow the lock-modify-unlock model[4]. You can force using this model for binary files following the description on how to setup Automatic lock-modify-unlock.