Subversion configured for Windows Active Directory HTTPS

From SubversionWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

If you want to set up a subversion server on a windows machine that recognizes users from Microsoft Active Directory and uses secure http (https) to communicate with clients you can use the following setup as a template for your configuration. Or download VisualSVN Server from http://www.visualsvn.com/server/ - it has https and Active Directory integration working out-of-the-box. Another alternative to VisualSVN Server is uberSVN (http://www.ubersvn.com/download) which is a platform for Subversion and other ALM tools you can plug straight into it, this tool also comes with a wizard for simple install and maintenance.

Steps to follow:

1) Download and install Apache 2.2 + open SSL from http://www.apache.org. Do use Apache 2.2 instead of Apache 2.0 if you want to connect to Active Directory

2) Download the apache 2.2 binary compatible version of svn from http://svn.tigris.org

3) Copy all dll's and modules (.so files) from subversion/bin directory to the apache2.2 /modules directory

4) Copy an existing svn repository or create a new repository

COPY:

cd "c:\program files\subversion\bin"
svnadmin hotcopy //computer/share/subversion/repositories/repo1 c:/subversion/repositories/repo1

CREATE: 

svnadmin create c:/subversion/repositories/repo1

5) Create a authorization file: svn.authz 

### This file is an example authorization file for svnserve.
### Its format is identical to that of mod_authz_svn authorization
### files.
### As shown below each section defines authorizations for the path and
### (optional) repository specified by the section name.
### The authorizations follow. An authorization line can refer to a
### single user, to a group of users defined in a special [groups]
### section, or to anyone using the '*' wildcard.  Each definition can
### grant read ('r') access, read-write ('rw') access, or no access
### ('').
[groups]
group1 = harry,sally
group2 = romeo,julia
group3 = sally,julia

[/]
* = r
@group1 = rw

6) Create a SSL certificate

- Openssl.exe included with this version of Apache 2.2 does not seem to be configured well on windows. In order to create a certificate, you need a well configured version of openssl. For this example configuration of subversion with https, file Openssl-0.9.7e-Win32.zip[1] combined with file openssl.conf[2] were downloaded from support.etouch.net[3]

- run the following commands 

openssl req -config openssl.cnf -new -out svn.example.com.csr
openssl rsa -in privkey.pem -out svn.example.com.key
openssl x509 -in svn.example.com.csr -out svn.example.com.cert -req -signkey svn.example.com.key -days 1000

- copy the resulting *.cert and *.key files to the apache2.2/conf directory


7) Edit apache/conf/httpd.conf 

LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule ssl_module modules/mod_ssl.so

<VirtualHost _default_:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/svn.example.com.cert
SSLCertificateKeyFile conf/svn.example.com.key
#<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
#    SSLOptions +StdEnvVars
#</FilesMatch>
#<Directory "C:/Program Files/Apache Group/Apache2/cgi">
#    SSLOptions +StdEnvVars
#</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


#redirect /repos to /repos/
RedirectMatch ^(/repos)$ $1/

<Location /repos/>
  DAV svn
  # SVNPath c:/subversion/repositories/repo1
  SVNParentPath c:/subversion/repositories
  SVNListparentPath on
  Order allow,deny
  Allow from all
	
  AuthType Basic
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative off
  AuthName "svn.example.com"
  AuthzSVNAccessFile c:/subversion/repositories/svn.authz

  #at least one of your domain servers listens on port 3268 (besides default ldap port 389)
  #use the server that listens on port 3268 if you have more than one AD server. The service
  #on port 389 uses referrals to the other AD servers. Referrals are used anonymously. Anonymoys
  #binding will not work on most AD-servers.
  AuthLDAPURL "ldap://dc.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)"

  #this assumes you have created a dedicated bind user "apache_bind" on your active directory
  AuthLDAPBindDN "CN=apache_bind,CN=users,DC=example,DC=com"

  #warning: this password for AD apache_bind user is in plain text!
  AuthLDAPBindPassword [password_for_ad_user_apache_bind]

  #AuthLDAPFollowReferrals off
  
  AuthLDAPGroupAttributeIsDN on
  AuthLDAPGroupAttribute member
  SSLRequireSSL
  #require ldap-group CN=svnusers,CN=Users,DC=example,DC=com
  require valid-user
</Location>
</VirtualHost>

8) Apply ldap patch for MS-AD

When a Microsoft Active Directory times out, it sends a TCP RST instad of a TCP FIN to the client. There is a workaround for this MS AD bug in Apache mod_ldap, see http://www.apachelounge.com/forum/viewtopic.php?t=1995 or download http://www.anneb.dds.nl/httpd-2.2.6_ldappatch_win32_vc6.zip Replace apache modules mod_lap.so and mod_authnz_ldap.so with the files from the downloaded zip file. This configuration allows you to add more than one repository in directory c:/subversion/repositories. All repositories are listed in the browser using URL https://svn.example.com/repos. User names and passwords are validated against Active Directory. Standard svn clients can not browse the list of repositories. Instead you should use the full path to a particular repository, for instance https://svn.example.com/repos/repo1.

9) Binary files cannot be easily merged. The lock-modify-unlock versioning model seems to be the only appropriate model for these type of files. Follow the instructions in [Setting up lock-modify-unlock This description also includes client and server side configuration to accommodate for the lock-modify-unlock model for binary files.


9) Force users to set svn:needs-lock property on new binary files

Binary files cannot be merged. Versioning should follow the lock-modify-unlock model[4]. You can force using this model for binary files following the description on how to setup Automatic lock-modify-unlock.

Retrieved from "https://www.orcaware.com/svn/mediawiki/index.php?title=Subversion_configured_for_Windows_Active_Directory_HTTPS&oldid=1781"