Subversion configured for Windows Active Directory HTTPS

From SubversionWiki
Revision as of 11:49, 7 September 2008 by Fyodor (talk | contribs) (Added link to VisualSVN Server)
Jump to navigation Jump to search

If you want to set up a subversion server on a windows machine that recognizes users from Microsoft Active Directory and uses secure http (https) to communicate with clients you can use the following setup as a template for your configuration. Or download VisualSVN Server from - it has https and Active Directory integration working out-of-the-box.

Steps to follow:

1) Download and install Apache 2.2 + open SSL from Do use Apache 2.2 instead of Apache 2.0 if you want to connect to Active Directory

2) Download the apache 2.2 binary compatible version of svn from

3) Copy all dll's and modules (.so files) from subversion/bin directory to the apache2.2 /modules directory

4) Copy an existing svn repository or create a new repository


cd "c:\program files\subversion\bin"
svnadmin hotcopy //computer/share/subversion/repositories/repo1 c:/subversion/repositories/repo1


svnadmin create c:/subversion/repositories/repo1

5) Create a authorization file: svn.authz

### This file is an example authorization file for svnserve.
### Its format is identical to that of mod_authz_svn authorization
### files.
### As shown below each section defines authorizations for the path and
### (optional) repository specified by the section name.
### The authorizations follow. An authorization line can refer to a
### single user, to a group of users defined in a special [groups]
### section, or to anyone using the '*' wildcard.  Each definition can
### grant read ('r') access, read-write ('rw') access, or no access
### ('').
group1 = harry,sally
group2 = romeo,julia
group3 = sally,julia

* = r
@group1 = rw

6) Create a SSL certificate

- Openssl.exe included with this version of Apache 2.2 does not seem to be configured well on windows. In order to create a certificate, you need a well configured version of openssl. For this example configuration of subversion with https, file[1] combined with file openssl.conf[2] were downloaded from[3]

- run the following commands

openssl req -config openssl.cnf -new -out
openssl rsa -in privkey.pem -out
openssl x509 -in -out -req -signkey -days 1000

- copy the resulting *.cert and *.key files to the apache2.2/conf directory

7) Edit apache/conf/httpd.conf

LoadModule dav_module modules/
LoadModule dav_svn_module modules/
LoadModule authz_svn_module modules/
LoadModule ldap_module modules/
LoadModule ssl_module modules/

<VirtualHost _default_:443>
SSLEngine on
SSLCertificateFile conf/
SSLCertificateKeyFile conf/
#<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
#    SSLOptions +StdEnvVars
#<Directory "C:/Program Files/Apache Group/Apache2/cgi">
#    SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#redirect /repos to /repos/
RedirectMatch ^(/repos)$ $1/

<Location /repos/>
  DAV svn
  # SVNPath c:/subversion/repositories/repo1
  SVNParentPath c:/subversion/repositories
  SVNListparentPath on
  Order allow,deny
  Allow from all
  AuthType Basic
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative off
  AuthName ""
  AuthzSVNAccessFile c:/subversion/repositories/svn.authz

  #at least one of your domain servers listens on port 3268 (besides default ldap port 389)
  #use the server that listens on port 3268 if you have more than one AD server. The service
  #on port 389 uses referrals to the other AD servers. Referrals are used anonymously. Anonymoys
  #binding will not work on most AD-servers.
  AuthLDAPURL "ldap://,DC=com?sAMAccountName?sub?(objectClass=*)"

  #this assumes you have created a dedicated bind user "apache_bind" on your active directory
  AuthLDAPBindDN "CN=apache_bind,CN=users,DC=example,DC=com"

  #warning: this password for AD apache_bind user is in plain text!
  AuthLDAPBindPassword [password_for_ad_user_apache_bind]

  #AuthLDAPFollowReferrals off
  AuthLDAPGroupAttributeIsDN on
  AuthLDAPGroupAttribute member
  #require ldap-group CN=svnusers,CN=Users,DC=example,DC=com
  require valid-user

8) Apply ldap patch for MS-AD

When a Microsoft Active Directory times out, it sends a TCP RST instad of a TCP FIN to the client. There is a workaround for this MS AD bug in Apache mod_ldap, see or download Replace apache modules and with the files from the downloaded zip file. This configuration allows you to add more than one repository in directory c:/subversion/repositories. All repositories are listed in the browser using URL User names and passwords are validated against Active Directory. Standard svn clients can not browse the list of repositories. Instead you should use the full path to a particular repository, for instance

9) Binary files cannot be easily merged. The lock-modify-unlock versioning model seems to be the only appropriate model for these type of files. Follow the instructions in [Setting up lock-modify-unlock This description also includes client and server side configuration to accommodate for the lock-modify-unlock model for binary files.

9) Force users to set svn:needs-lock property on new binary files

Binary files cannot be merged. Versioning should follow the lock-modify-unlock model[4]. You can force using this model for binary files following the description on how to setup Automatic lock-modify-unlock.