Setting up an Subversion server (http://subversion.tigris.org/) is fairly easy. On most Linux distributions, you can install it via the packet manager that comes equipped with it. At our company, we run Subversion on CentOS with Apache.
For added security, we require users to authenticate if they want to access the repositories. You can add these users manually with htaccess files, but why do that if you already have all the users listed in the Domino directory? Having multiple user accounts for the same user, scattered over different server, only makes things more complex. So I decided to extract them from our Domino server via LDAP.
To add authentication, I added the following paramters in the configuration of Apache.
First, specify that you want to use LDAP for authentication:
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName “SVN”
require valid-user
AuthBasicProvider ldap and AuthType Basic will tell Apache/Subversion to use LDAP for authentication. With AuthzLDAPAuthoritative off, you tell Apache that LDAP does not decide who has access and who doesn’t. In our case, LDAP just has to pass user information. AuthName is just a title for the login popup. require valid-user speaks for itself I think.
Next, we come to the actual connection. This has to be built up like this:
AuthLDAPUrl “ldap://hostname:port/basedn?attribute?scope?filter” NONE
basedn defines where you want to search in LDAP. attribute is what will match the username that the user types in the login popup. scope tells LDAP how deep it has to search in the directory. Put this on “sub” so it will search the entire directory. filter defines what objects should be returned. Set this on “(objectClass=*)” to return all objects.
Our URL looks like this:
AuthLDAPUrl “ldap://ldap.groupwave.be:389/O=GroupWave?CN?sub?(objectClass=*)” NONE
To find the correct URL for your server, I suggest you use an LDAP browser tool like Softerra LDAP Browser (http://www.ldapadministrator.com/). Getting the URL right by trial and error in Apache, can be a very tiresome job.
These extra parameters should be enough to add Domino LDAP authentication to your Subversion server. The final configuration looks like this (this is added to a <VirtualHost> directive):
<Location “/”>
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName “Groupwave SVN”
require valid-user
AuthLDAPUrl “ldap://ldap.groupwave.local:389/O=GroupWave?CN?sub?(objectClass=*)” NONE
DAV svn
SVNParentPath /mnt/iscsi/subversion/repositories
SVNListParentPath on
</Location>
Setting up an Subversion server is fairly easy. On most Linux distributions, you can install it via the packet manager that comes equipped with it. At our company, we run Subversion on CentOS with Apache.
For added security, we require users to authenticate if they want to access the repositories. You can add these users manually with htaccess files, but why do that if you already have all the users listed in the Domino directory? Having multiple user accounts for the same user, scattered over different server, only makes things more complex. So I decided to extract them from our Domino server via LDAP.
To add authentication, I added the following paramters in the configuration of Apache.
First, specify that you want to use LDAP for authentication:
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName “SVN”
require valid-user
AuthBasicProvider ldap and AuthType Basic will tell Apache/Subversion to use LDAP for authentication. With AuthzLDAPAuthoritative off, you tell Apache that LDAP does not decide who has access and who doesn’t. In our case, LDAP just has to pass user information. AuthName is just a title for the login popup. require valid-user speaks for itself I think.
Next, we come to the actual connection. This has to be built up like this:
AuthLDAPUrl “ldap://hostname:port/basedn?attribute?scope?filter” NONE
basedn defines where you want to search in LDAP. attribute is what will match the username to what the user types in the login popup. scope tells LDAP how deep it has to search in the directory. Put this on “sub” so it will search the entire tree. Finally, filter defines what objects should be returned. Put this on “(objectClass=*)” to return all objects.
On our server the URL looks like this:
AuthLDAPUrl “ldap://ldap.groupwave.be:389/O=GroupWave?CN?sub?(objectClass=*)” NONE
To find the correct URL for your server, I suggest you use an LDAP browser tool like Softerra LDAP Browser. Getting the URL right by trial and error in Apache, can be a very tiresome job.
These extra parameters should be enough to add Domino LDAP authentication to your Subversion server.
