svn passwordless authentication - using SSL trust

Question

I have the SVN server running under Apache over HTTPS
Heres my server-side config, "/etc/httpd/conf.d/subversion.conf":

<Location />
  SSLRequireSSL
  SSLCACertificatePath /etc/pki/CA
  SSLCACertificateFile /etc/pki/CA/cacert.pem
  SSLVerifyClient optional
  SSLUserName SSL_CLIENT_S_DN_CN
  SetOutputFilter DEFLATE
  Satisfy Any
  AuthBasicProvider file ldap
  AuthzLDAPAuthoritative off
  AuthType Basic
  AuthName "SVN users enter password"
  AuthLDAPURL ldap://ldap.exmaple.com:389/ou=employees,ou=people,o=example.com
  AuthGroupFile /var/www/auth/group
  AuthUserFile /var/www/auth/passwd
  Require valid-user
</Location>

This config accepts the PKCS12 certificate auth while checkout over HTTPS.
And accepts LDAP authentication while checkout over HTTP.

My issue now is how do i make Apache accept LDAP authentication if no client certificate(PKCS12) is provided while checkout over HTTPS?

This was the webpage i followed, http://joseph.freivald.com/linux/2009/05/14/subversion-ssl-and-apache-for-secure-passwordless-user-based-repository-access-controls/ — Vishnu Kumar, Apr 07 '14 at 07:30

Vishnu Kumar · Accepted Answer · 2014-07-18T07:13:23.840

Instead of configuring SSL certs for Location /.
I configured SSL certs auth for Location /cert subfolder.
Location / is configured with LDAP.
My subversion.conf now looks like:

<Location />
  AuthBasicProvider file ldap
  AuthzLDAPAuthoritative off
  AuthType Basic
  AuthName "SVN users enter password"
  AuthLDAPURL ldap://ldap.example.com:389/ou=employees,ou=people,o=example.com
  AuthGroupFile /var/www/auth/group
  AuthUserFile /var/www/auth/passwd
  Require valid-user
</Location>

<Location /svn>
  AuthBasicProvider file ldap
  AuthzLDAPAuthoritative off
  AuthType Basic
  AuthName "SVN users enter password"
  AuthLDAPURL ldap://ldap.example.com:389/ou=employees,ou=people,o=example.com
  AuthGroupFile /var/www/auth/group
  AuthUserFile /var/www/auth/passwd
  Require valid-user
</Location>

<Location /cert>
  DAV svn
  SVNParentPath /var/www/html/svn/repos
  AuthzSVNAccessfile /var/www/html/svn/authz
  SSLRequireSSL
  SSLCACertificatePath /etc/httpd/conf/keys/
  SSLCACertificateFile /etc/httpd/conf/keys/stacked-pem.cer
  SSLVerifyClient optional_no_ca
  SSLUserName SSL_CLIENT_S_DN_CN
  SetOutputFilter DEFLATE
  Satisfy Any
</Location>

Now the failover to LDAP is happening :)
The key is Satisfy any

After upgrading to Apache 2.4, it allowed any user authenticating with certs to check-in and check-out. It took valid-user from Parent location "/". Adding `AuthMerging Off` in /cert fixed it. — Vishnu Kumar, Jun 30 '15 at 07:12
Is it necessary to have the same config under / and /svn too? — bviktor, Feb 05 '18 at 20:57
@bviktor, yup good point, I don't think `/svn` config will be required. — Vishnu Kumar, Feb 16 '18 at 08:03

svn passwordless authentication - using SSL trust

1 Answers1