close x

Subversion+OpenLDAP

I’m going to show you how we can install a subversion server over Ubuntu or Debian server, and make the authentication goes through OpenLDAPn server.

1- Install Subversion:

apt-get install subversion

2.- Create a repository:

mkdir /repository

cd /repository

mkdir project

svnadmin create /repository/project

3.- If the user subversion is not created, create it:
adduser subversion

And we replace in /etc/passwd the chain /bin/bash, and we put /bin/false. We make this in order to make a user without password.
4.- Establish the permissions:
chown -R www-data:subversion /repository chmod -R g+rws /repository
5.- Add subversion daemon:
touch /etc/init.d/svnserve
chmod +x /etc/init.d/svnserve
update-rc.d svnserve defaults
nano /etc/init.d/svnserve
#! /bin/sh ### BEGIN INIT INFO # Provides: svnserve # Required-Start: $local_fs $syslog $remote_fs # Required-Stop: $local_fs $syslog $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start svnserve ### END INIT INFO # Author: Michal Wojciechowski PATH=/sbin:/usr/sbin:/bin:/usr/bin DESC=”svnserve” NAME=svnserve DAEMON=/usr/bin/$NAME
DAEMON_ARGS=”-d -r /repository” PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/$NAME [ -x "$DAEMON" ] || exit 0 [ -r /etc/default/$NAME ] && . /etc/default/$NAME . /lib/init/vars.sh . /lib/lsb/init-functions do_start() { start-stop-daemon –start –quiet –pidfile $PIDFILE –exec $DAEMON –test > /dev/null \ || return 1 start-stop-daemon –start –quiet –pidfile $PIDFILE –exec $DAEMON — \ $DAEMON_ARGS \ || return 2 } do_stop() { start-stop-daemon –stop –quiet –retry=TERM/30/KILL/5 –pidfile $PIDFILE –name $NAME RETVAL=”$?” [ "$RETVAL" = 2 ] && return 2 start-stop-daemon –stop –quiet –oknodo –retry=0/30/KILL/5 –exec $DAEMON [ "$?" = 2 ] && return 2 rm -f $PIDFILE return “$RETVAL” } case “$1″ in start) [ "$VERBOSE" != no ] && log_daemon_msg “Starting $DESC” “$NAME” do_start case “$?” in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg “Stopping $DESC” “$NAME” do_stop case “$?” in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; restart|force-reload) log_daemon_msg “Restarting $DESC” “$NAME” do_stop case “$?” in 0|1) do_start case “$?” in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; *) echo “Usage: $SCRIPTNAME {start|stop|restart|force-reload}” >&2 exit 3 ;; esac exit 0
6.-Replace ‘/repository’ for the location of your repository in the line:
DAEMON_ARGS=”-d -r /repository”
And restart the service:
/etc/init.d/svnserve start
With ‘rcconf’ add it to the services that starts on boot.
7.- In order to connect the user authentication by LDAP we need to install SASL:
apt-get install db4.7-util sasl2-bin ldap-utils

We edit the repository conf file:

nano /home/svn/conf/svnserve.conf

And we leave it this way:
[general] anon-access = none auth-access = write authz-db = authz [sasl] use-sasl = true
8.- We create the next archive:

nano /usr/lib/sasl2/svn.con

And we leave it this way:

#/usr/lib/sasl2/svn.conf — might be /usr/lib/sasl2/subversion.conf not sure, make both

## Password check method, default to the SASL AUTH daemon

pwcheck_method: saslauthd

## Auxiliary (propery) plugin, use ldap

auxprop_plugin: ldap

## Mechanism list, MS AD requires you to send credentials in plain text

mech_list: PLAIN LOGIN

## Not sure if this is required… but I kept it in

ldapdb_mech: PLAIN LOGIN

9.- We are going to configure the SASL daemon:

nano /etc/default/saslauthd
and change the following parameters:

START=yes MECHANISMS=”ldap”
To finish the SASL configuration in order to can authenticate subversion by LDAP we edit the next files:

nano /etc/saslauthd.conf
## URL for the Active Directory ldap_servers: ldap://ip_ldap_server:389 ## Not sure why exactly, but yes doesnt work… so no. ldap_use_sasl: no ## Bind DN (Distinguishing Name) of the user you want to bind to the AD ldap_bind_dn: CN=admin,DC=domain,DC=com ## Password to the above user ldap_password: password ## Sends passwords as plain text to AD to authenticate ldap_mech: PLAIN ## Auth Method = Bind as specified user, and search for users in the AD ldap_auth_method: bind ## Filter for users. (user@example.com) sAMAccountName = user ldap_filter: uid=%U ## Specify search base ldap_search_base: OU=Users,DC=domain,DC=com

We start the SASL daemon:

/etc/init.d/saslauthd start
And if we want to check how it was the process of it would be any problem, we can check with:
saslauthd -a ldap -d
or looking at file

/var/log/auth.log

REFERENCES:

https://help.ubuntu.com/community/Subversion

http://odyniec.net/articles/ubuntu-subversion-server/

http://michaelcamden.me/?p=27

Linux0 comments

Leave a Reply