{"id":1789,"date":"2017-12-06T06:34:27","date_gmt":"2017-12-06T06:34:27","guid":{"rendered":"http:\/\/www.scmgalaxy.com\/tutorials\/?p=1789"},"modified":"2020-01-09T09:40:50","modified_gmt":"2020-01-09T09:40:50","slug":"apache2-ldap-authorization-for-subversion-with-opends","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/apache2-ldap-authorization-for-subversion-with-opends\/","title":{"rendered":"Apache2 LDAP authorization for Subversion with OpenDS"},"content":{"rendered":"

rajeshkumar created the topic: Apache2 LDAP authorization for Subversion with OpenDS<\/strong>
\nApache2 LDAP authorization for Subversion with OpenDS<\/p>\n

There are several ways to enable user authentication for web based applications, like .htaccess files, plain tekst files, databases, LDAP, etc. They all have their pros and cons. In case a central, flexible solution is needed, either a database or LDAP solution can be used.<\/p>\n

I chose for an LDAP solution since it can be reused by many web and application servers and the applications that run on them while many LDAP solutions provide excellent tooling and easy configuration. Since Yenlo strongly focuses on GlassFish and other Sun tools, I chose OpenDS to authenticate against.The idea is to create a bunch of users and put them into one or more groups. Each group gets access to one specific Subversion repository and every user that needs access to a certain subversion repositoy needs to be in the corresponding group.<\/p>\n

This blog describes the basic steps I took to get Basic HTTP authentication for Subversion using Apache2 and OpenDS.
\nSetting up the server<\/p>\n

The server is running on Debian Etch, for which most of the required software is available via the Debian package repository. The packages I installed are
\napache2
\napache2-mpm-prefork
\nlibapache2-svn
\nsubversion
\nsun-java6-bin
\nsun-java6-jdk
\nsun-java6-jre<\/p>\n

Apart form these packages I downloaded and installed the OpenDS 2.2 zip file from the OpenDS homepage. For this purpose I created a user and a group called \u201copends\u201d and the directory \/usr\/local\/opends which I gave both ownership and group \u201copends\u201d. Next I logged in as user opends and extracted the zip file into that directory. Finally, as root, I created a start and stop script and used the update-rc.d script to make sure OpenDS is automatically started and stopped when the server is started and stopped.<\/p>\n

Setting up Subversion<\/p>\n

Let\u2019s suppose that our organisation has decided to create a Subversion repository for each development project that we do. This means that we would get a directory structure like this, with the leaves being the root directories of each repository:
\n\/usr\/share\/subversion
\n \/repository1
\n \/repository2<\/p>\n

The repositories were created as root using these commands in the \/usr\/share\/subversion directory
\n# svnadmin create repository1
\n# svnadmin create repository2<\/p>\n

That\u2019s all the configuration that was done to the Subversion repositories.<\/p>\n

Configuring OpenDS<\/p>\n

First, a basic setup of OpenDS needed to be done using the command
\n$ \/usr\/local\/opends\/OpenDS-2.2.0\/bin\/setup<\/p>\n

For more info about this, see Setting Up the Directory Server. Please note that if you are not running OpenDS as root user, it will listen on port 1389.<\/p>\n

The next step was to configure OpenDS so it contains a few users and groups. The main configuration tool for OpenDS is called control-panel and, in my case, it can be started as user \u201copends\u201d by issuing this command:
\n$ \/usr\/local\/opends\/OpenDS-2.2.0\/bin\/control-panel<\/p>\n

With this tool, among other things, you can manage the entries in the directory. For my purpose I created the next layout
\nbase dn (dc=yenlo,dc=nl)
\n organisation (o=yenlo)
\n organisational unit (ou=devel)
\n user (uid=wouter1, password = wouter1)
\n user (uid=wouter2, password = wouter2)
\n user (uid=wouter3, password = wouter3)
\n group (cn=group1, uniqueMember=wouter1,wouter2)
\n group (cn=group2, uniqueMember=wouter2,wouter3)<\/p>\n

which is a very simple layout but sufficient for now. Note that I created two Subversion repositories and therefore two LDAP groups, one for each Subversion repository.<\/p>\n

Setting up Apache2 to get access to the Subversion repositories<\/p>\n

First I configured Apache2 so the two repositories were accessible to anyone using e.g. a web browser. After libapache2-svn is installed, the module should be enabled in the Apache2 configuration files automatically. To verify this, check the
\n\/etc\/apache2\/mods-enabled\/<\/p>\n

directory and make sure these symbolic links exist
\ndav.load -> ..\/mods-available\/dav.load
\ndav_svn.conf -> ..\/mods-available\/dav_svn.conf
\ndav_svn.load -> ..\/mods-available\/dav_svn.load<\/p>\n

If the first link is missing, create it as root using
\n# a2enmod dav<\/p>\n

If the second and third are missing, create it as root using
\n# a2enmod dav_svn<\/p>\n

To make sure the modules are loaded by Apache2, restart the server as root using
\n# \/etc\/init.d\/apache2 restart<\/p>\n

Now some modifications need to be made to the dav_svn configuration file
\n\/etc\/apache2\/mods-available\/dav_svn.conf<\/p>\n

The idea is that there are two Subversion repositories that need to be configured individually. So, these two entries need to be put in the above mentioned configuration file
\n
\nDAV svn
\nSVNPath \/usr\/share\/subversion\/repository1
\nSVNListParentPath On
\nSVNAutoversioning On
\nSVNReposName \u201cRepository1 Subversion Repository\u201d
\n<\/Location>
\n
\nDAV svn
\nSVNPath \/usr\/share\/subversion\/repository2
\nSVNListParentPath On
\nSVNAutoversioning On
\nSVNReposName \u201cRepository2 Subversion Repository\u201d
\n<\/Location>
\nNow, if you point your browser to either http:\/\/\/svn\/repository1 or http:\/\/\/svn\/repository2 you should see the root of your repository.<\/p>\n

Adding LDAP support using OpenDS<\/p>\n

In order to use LDAP atuentication with Apache2, these two entries should be present in \/etc\/apache2\/mods-enabled:
\nauthnz_ldap.load -> ..\/mods-available\/authnz_ldap.load
\nldap.load -> ..\/mods-available\/ldap.load<\/p>\n

If they aren\u2019t present, you can enable them as root with these commands
\n# a2enmod authnz_ldap
\n# a2enmod ldap
\n# \/etc\/init.d\/apache2 restart<\/p>\n

Now, each entry in \/etc\/apache2\/mods-available\/dav_svn.conf should be extended with these lines in order to get LDAP authentication working with OpenDS. Please note that you should pay attention to the group you assign to each subversion repository location. I am only showing the configuration addition for repository1 and leave it as an excercise to you to setup the second repository configuration. Also please note you make sure the correct password for the Directory Manager is provided. For more info about these configuration settings, please consult the OpenDS WIKI page on Apache Web Server.
\nAuthType Basic
\nAuthName \u201cRepository1 Subversion Repository\u201d
\nAuthBasicProvider ldap
\nAuthzLDAPAuthoritative off
\nAuthLDAPURL ldap:\/\/localhost:1389\/dc=yenlo,dc=nl?uid
\nAuthLDAPBindDN \u201ccn=Directory Manager\u201d
\nAuthLDAPBindPassword mypassword
\nAuthLDAPGroupAttribute uniqueMember
\nAuthLDAPGroupAttributeIsDN on
\nRequire ldap-group cn=repository1,ou=devel,o=yenlo,dc=yenlo,dc=nl<\/p>\n

Issue a final
\n# \/etc\/init.d\/apache2 restart<\/p>\n

and you should be prompted for a username and password when you try to access either repository. Using the correct uid and password combination should grant you access to the repository.<\/p>\n

Next stepts<\/p>\n

The authentication mechanism we chose, Basic autentication, posts usernames and passwords in plain text, which potentially could be harmful in case someone sniffes the connection. I would strongly recommend to setup SSL based connections. Moreover, this blog post only shows how to secure one repository layout using LDAP. Both Subversion and Apache are sufficiently flexible that other layouts are possible. Those layouts most likely require tweaking of the Apache2 configuration options. Finally, I am not an LDAP expert so the directory structure I chose in OpenDS most likely can be much improved. However, following the steps in this article should get you on your way to using OpenDS incombination with Apache2.<\/p>\n

Reference: Referencehttp:\/\/www.yenlo.nl\/woutervanreeven\/2010\/03\/15\/apache2-ldap-authorization-for-subversion-with-opends\/<\/a>
\nRegards,
\nRajesh Kumar
\nTwitt me @ twitter.com\/RajeshKumarIn<\/a><\/p>\n

rajeshkumar replied the topic: Re:Apache2 LDAP authorization for Subversion with Opends<\/strong>
\nSubversion authorization through LDAP with OpenDS<\/p>\n

If you building a centralized development environment for a team or large group of users, the question of centralizing user identities, authentication and authorization is always popping up and the answer is often to use an LDAP directory server. The developer section of the OpenDS documentation wiki has a set of tutorials for using the OpenDS LDAP directory server with various web servers and open source project like GlassFish, Apache Tomcat, SugarCRM… But not yet for Subversion. Thankfully, Wooter van Reeven, Senior Consultant at Yenlo has just published a long and detailed tutorial for setting up Subversion authentication and authorization through LDAP, with OpenDS and Apache2.<\/p>\n

blogs.sun.com\/Ludo\/entry\/subversion_auth…on_through_ldap_with
\nRegards,
\nRajesh Kumar
\nTwitt me @ twitter.com\/RajeshKumarIn<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

rajeshkumar created the topic: Apache2 LDAP authorization for Subversion with OpenDS Apache2 LDAP authorization for Subversion with OpenDS There are several ways to enable user authentication for web based applications, like .htaccess files, plain tekst files, databases, LDAP, etc. They all have their pros and cons. In case a central, flexible solution is needed, either…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","_joinchat":[],"footnotes":""},"categories":[2],"tags":[394],"class_list":["post-1789","post","type-post","status-publish","format-standard","hentry","category-uncategorised","tag-subversion"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/1789","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=1789"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/1789\/revisions"}],"predecessor-version":[{"id":1790,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/1789\/revisions\/1790"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=1789"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=1789"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=1789"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}