All I wanted out of life was to authenticate off Active Directory, have everyone with a valid user be able to read my svn repo and have a build user defined in a file for my Continuos integration (Non active directory user) and have a couple of AD users have read/write permissions sounds simple but maybe not so much.
This is my config file (in /etc/httpd/conf.d):
<AuthnProviderAlias ldap adf-ldap-alias>
#ldap config make sure the DN config is correct and the server is right
AuthLDAPURL "ldap://adserver.co.za:3268/OU=User Accounts,DC=company,DC=co,DC=za?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "svnuser@company.co.za"
AuthLDAPBindPassword supersecret
</AuthnProviderAlias>
<AuthnProviderAlias file adf-file-alias>
#setup this file using htpasswd
AuthUserFile /etc/subversion/adf-auth-file
</AuthnProviderAlias>
<Location /adfrepo>
DAV svn
AuthType Basic
AuthName "ADF Subversion Repository"
#this is where the magic happens for using two providers
AuthBasicProvider adf-ldap-alias adf-file-alias
#Permissions that dont use AD Groups
AuthzSVNAccessFile /etc/subversion/adf-authz
#path to your new repo
SVNPath /usr/local/svn/adf
Require valid-user
</Location>
Example of /etc/subversion/adf-authz (* = r means everybody has read access)
[groups]
svnAdf = usr1, usr2, bob
[:/]
@svnAdf = rw
[/]
* = r
@svnAdf = rw
Some nifty commands
#add a build user to the auth file
htpasswd -cmd /etc/subversion/adf-auth-file builduser
#copy old repo to new repo
svnsync init http://newsvn.company.co.za/adf http://oldsvn.company.co.za/svn/adf
svnsync sync file:///usr/local/svn/adf
svnadmin setuuid /usr/local/svn/adf
#create the new repo with correct permissions
svnadmin create /usr/local/svn/adf
chcon -R -t httpd_sys_content_rw_t /usr/local/svn/adf
chown -R svnadmin /usr/local/svn/adf
chgrp -R apache /usr/local/svn/adf
chmod -R g+w /usr/local/svn/adf
pre commit hook to enforce comments
$SVNLOOK log -t "$TXN" "$REPOS" | grep "[a-zA-Z0-9]" > /dev/null || { echo "Please enter a comment before you commit." >& 2; exit 1; }
This is my config file (in /etc/httpd/conf.d):
<AuthnProviderAlias ldap adf-ldap-alias>
#ldap config make sure the DN config is correct and the server is right
AuthLDAPURL "ldap://adserver.co.za:3268/OU=User Accounts,DC=company,DC=co,DC=za?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "svnuser@company.co.za"
AuthLDAPBindPassword supersecret
</AuthnProviderAlias>
<AuthnProviderAlias file adf-file-alias>
#setup this file using htpasswd
AuthUserFile /etc/subversion/adf-auth-file
</AuthnProviderAlias>
<Location /adfrepo>
DAV svn
AuthType Basic
AuthName "ADF Subversion Repository"
#this is where the magic happens for using two providers
AuthBasicProvider adf-ldap-alias adf-file-alias
#Permissions that dont use AD Groups
AuthzSVNAccessFile /etc/subversion/adf-authz
#path to your new repo
SVNPath /usr/local/svn/adf
Require valid-user
</Location>
Example of /etc/subversion/adf-authz (* = r means everybody has read access)
[groups]
svnAdf = usr1, usr2, bob
[:/]
@svnAdf = rw
[/]
* = r
@svnAdf = rw
Some nifty commands
#add a build user to the auth file
htpasswd -cmd /etc/subversion/adf-auth-file builduser
#copy old repo to new repo
svnsync init http://newsvn.company.co.za/adf http://oldsvn.company.co.za/svn/adf
svnsync sync file:///usr/local/svn/adf
svnadmin setuuid /usr/local/svn/adf
#create the new repo with correct permissions
svnadmin create /usr/local/svn/adf
chcon -R -t httpd_sys_content_rw_t /usr/local/svn/adf
chown -R svnadmin /usr/local/svn/adf
chgrp -R apache /usr/local/svn/adf
chmod -R g+w /usr/local/svn/adf
pre commit hook to enforce comments
$SVNLOOK log -t "$TXN" "$REPOS" | grep "[a-zA-Z0-9]" > /dev/null || { echo "Please enter a comment before you commit." >& 2; exit 1; }
Comments
Post a Comment