Wednesday, November 23, 2011

SVN: Subversion apache configuration smackdown

All I wanted out of life was to authenticate off Active Directory, have everyone with a valid user be able to read my svn repo and have a build user defined in a file for my Continuos integration (Non active directory user) and have a couple of AD users have read/write permissions sounds simple but maybe not so much.

This is my config file (in /etc/httpd/conf.d):
<AuthnProviderAlias ldap adf-ldap-alias>
#ldap config make sure the DN config is correct and the server is right
  AuthLDAPURL "ldap://adserver.co.za:3268/OU=User Accounts,DC=company,DC=co,DC=za?sAMAccountName?sub?(objectClass=*)" NONE
  AuthLDAPBindDN "svnuser@company.co.za"
  AuthLDAPBindPassword supersecret
</AuthnProviderAlias>

<AuthnProviderAlias file adf-file-alias>
#setup this file using  htpasswd
  AuthUserFile /etc/subversion/adf-auth-file
</AuthnProviderAlias>

<Location /adfrepo>
  DAV svn
  AuthType Basic
  AuthName "ADF Subversion Repository"
#this is where the magic happens for using two providers
  AuthBasicProvider adf-ldap-alias adf-file-alias
#Permissions that dont use AD Groups
  AuthzSVNAccessFile /etc/subversion/adf-authz
#path to your new repo
  SVNPath /usr/local/svn/adf
  Require valid-user
</Location>

Example of /etc/subversion/adf-authz (* = r means everybody has read access)

[groups]
svnAdf = usr1, usr2, bob

[:/]
@svnAdf = rw

[/]
* = r
@svnAdf = rw


Some nifty commands
#add a build user to the auth file
htpasswd -cmd /etc/subversion/adf-auth-file builduser

#copy old repo to new repo
svnsync init http://newsvn.company.co.za/adf http://oldsvn.company.co.za/svn/adf
svnsync sync file:///usr/local/svn/adf
svnadmin setuuid /usr/local/svn/adf
 

#create the new repo with correct permissions
svnadmin create /usr/local/svn/adf
chcon -R -t httpd_sys_content_rw_t /usr/local/svn/adf
chown -R svnadmin /usr/local/svn/adf
chgrp -R apache /usr/local/svn/adf
chmod -R g+w /usr/local/svn/adf

pre commit hook to enforce comments
$SVNLOOK log -t "$TXN" "$REPOS" | grep "[a-zA-Z0-9]" > /dev/null || { echo "Please enter a comment before you commit." >& 2; exit 1; }

No comments:

Post a Comment