0

we are planning to integrate our installation of Subversion with OpenLDAP for authentication, since that we would have that all users before committing any changes to code have to authenticate on the Active Directory.

Anyone did already do this kind of integration. Any help will be appreciated.

Luigi
  • 25
  • 6

1 Answers1

0

Check this out.

Make sure you have Apache installed first

Example of the directive we use where I work:

LoadModule dav_svn_module     modules/mod_dav_svn.so

<Location /<your_desired_url>>
 DAV svn
 SVNPath <ph. path to repo>
 SVNReposName "anything can go here"
 AuthType Basic
 AuthName "anything can go here"
 AuthBasicProvider ldap
 AuthLDAPBindDN "CN=XXX,CN=XXX,DC=XXX,DC=XXX"
 AuthLDAPBindPassword "the_pwd_of_the_above"
 AuthLDAPURL "ldap://1.2.3.4:3268/DC=XXX,DC=XXX?sAMAccountName?sub?" NONE
 Require valid-user
 #Require ldap-group CN=XXX,CN=XXX,DC=XXX,DC=XXX
</Location>

The last line, the commented one (#) can be used to require that only users from some group can commit or read the repository.

Pedro Otero
  • 324
  • 5
  • 15
  • Thanks @Pedro Otero. Unfortunately the post is related to authenthication through LDAP without binding. I followed another guide: (http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html) but the error from Error Log file is always the same: `AH00170: caught SIGWINCH, shutting down gracefully`. Any help will be much appreciated – Luigi Sep 02 '15 at 16:19
  • @Luigi you're right. Where I work, all users authenticate through LDAP to commit their changes. Our Apache directive contains an ldap bind dn and a password for it, which I understand is the user that will authenticate to the directory to search for the actual user who is trying to perform an operation. Should I edit my answer to show you the directive? – Pedro Otero Sep 02 '15 at 16:51
  • @Luigi went ahead and did it anyways – Pedro Otero Sep 02 '15 at 17:01
  • Hi @Pedro, now it seems it works properly, even if I couldn't test it. I can login to svn branch only with the user created during svn installation process. The directive that I changed is `LoadModule dav_svn_module modules/mod_dav_svn.so DAV svn SVNPath http://localhost SVNReposName "RepoName" AuthType Basic AuthName "passwd please" AuthBasicProvider ldap AuthLDAPBindDN "cn=Manager,dc=example,dc=com" AuthLDAPBindPassword secret AuthLDAPURL "ldap://localhost:389/ou=People,dc=example,dc=com?uid ` – Luigi Sep 03 '15 at 14:40
  • Things you need to change: 1. is just the part of the URL after the localhost. You can just put "/repo" and your repo will be accessed from http://localhost/repo. 2. is the physical path to the repo, say "C:\repo". Also, you may want to change the port 389 to 3268 if even with the above it doesn't work. – Pedro Otero Sep 03 '15 at 16:21
  • Thank you so much for your support, but unfortunately it doesnt' work yet. To install the SVN I followed this guide (https://www.howtoforge.com/how-to-install-svn-with-apache-dav_svn-on-centos-7) and then modified the httpd.con according to your suggestion ` DAV svn SVNPath /tmp/secondproject SVNReposName "RepoName" AuthType Basic AuthName "passwd please" AuthBasicProvider ldap AuthLDAPBindDN "cn=Manager,dc=example,dc=com" AuthLDAPBindPassword secret AuthLDAPURL "ldap://localhost:389/ou=People,dc=example,dc=com?uid ` – Luigi Sep 07 '15 at 11:26
  • Hi @Pedro. Finally it works. Thank you for your support. I have some problem with Selinux settings that denied any communication with port 389. I solved it following this post (http://www.linuxquestions.org/questions/linux-server-73/ldap-authentication-error-%5Bcan't-contact-ldap-server%5D-from-apache-httpd-920907/). – Luigi Sep 11 '15 at 14:40