Subversion configured for Windows Active Directory HTTPS

From SubversionWiki
Revision as of 03:11, 8 December 2007 by Anneb (talk | contribs)
Jump to navigation Jump to search

If you want to set up a subversion server on a windows machine that recognizes users from Microsoft Active Directory and uses secure http (https) to communicate with clients you can use the following setup as a template for your configuration.

Binary files cannot be easily merged. The lock-modify-unlock versioning model seems to be the only appropriate model for these type of files. This description also includes client and server side configuration to accommodate for the lock-modify-unlock model for binary files.

Steps to follow:

1) Download and install Apache 2.2 + open SSL from http://www.apache.org. Do use Apache 2.2 instead of Apache 2.0 if you want to connect to Active Directory

2) Download the apache 2.2 binary compatible version of svn from http://svn.tigris.org

3) Copy all dll's and modules (.so files) from subversion/bin directory to the apache2.2 /modules directory

4) Copy an existing svn repository or create a new repository

COPY:

cd "c:\program files\subversion\bin"
svnadmin hotcopy //computer/share/subversion/repositories/repo1 c:/subversion/repositories/repo1

CREATE: 

svnadmin create c:/subversion/repositories/repo1

5) Create a authorization file: svn.authz 

### This file is an example authorization file for svnserve.
### Its format is identical to that of mod_authz_svn authorization
### files.
### As shown below each section defines authorizations for the path and
### (optional) repository specified by the section name.
### The authorizations follow. An authorization line can refer to a
### single user, to a group of users defined in a special [groups]
### section, or to anyone using the '*' wildcard.  Each definition can
### grant read ('r') access, read-write ('rw') access, or no access
### ('').
[groups]
group1 = harry,sally
group2 = romeo,julia
group3 = sally,julia

[/]
* = r
@group1 = rw

6) Create a SSL certificate

- Openssl.exe included with this version of Apache 2.2 does not seem to be configured well on windows. In order to create a certificate, you need a well configured version of openssl. For this example configuration of subversion with https, file Openssl-0.9.7e-Win32.zip[1] combined with file openssl.conf[2] were downloaded from support.etouch.net[3]

- run the following commands 

openssl req -config openssl.cnf -new -out svn.example.com.csr
openssl rsa -in privkey.pem -out svn.example.com.key
openssl x509 -in svn.example.com.csr -out svn.example.com.cert -req -signkey svn.example.com.key -days 1000

- copy the resulting *.cert and *.key files to the apache2.2/conf directory


7) Edit apache/conf/httpd.conf 

LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule ssl_module modules/mod_ssl.so

<VirtualHost _default_:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/svn.example.com.cert
SSLCertificateKeyFile conf/svn.example.com.key
#<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
#    SSLOptions +StdEnvVars
#</FilesMatch>
#<Directory "C:/Program Files/Apache Group/Apache2/cgi">
#    SSLOptions +StdEnvVars
#</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


#redirect /repos to /repos/
RedirectMatch ^(/repos)$ $1/

<Location /repos/>
  DAV svn
  # SVNPath c:/subversion/repositories/repo1
  SVNParentPath c:/subversion/repositories
  SVNListparentPath on
  Order allow,deny
  Allow from all
	
  AuthType Basic
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative off
  AuthName "svn.example.com"
  AuthzSVNAccessFile c:/subversion/repositories/svn.authz

  #at least one of your domain servers listens on port 3268 (besides default ldap port 389)
  #use the server that listens on port 3268 if you have more than one AD server. The service
  #on port 389 uses referrals to the other AD servers. Referrals are used anonymously. Anonymoys
  #binding will not work on most AD-servers.
  AuthLDAPURL "ldap://dc.example.nl:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)"
  #AuthLDAPURL "ldap://dc.example.nl:389/DC=example,DC=com?sAMAccountName??(objectClass=*)"
  AuthLDAPBindDN "CN=apache_bind,CN=users,DC=example,DC=com"
  AuthLDAPBindPassword [password_for_ad_user_apache_bind]
  #AuthLDAPFollowReferrals off
  
  AuthLDAPGroupAttributeIsDN on
  AuthLDAPGroupAttribute member
  SSLRequireSSL
  #require ldap-group CN=svnusers,CN=Users,DC=example,DC=com
  require valid-user
</Location>
</VirtualHost>

8) Apply ldap patch for MS-AD

When a Microsoft Active Directory times out, it sends a TCP RST instad of a TCP FIN to the client. There is a workaround for this MS AD bug in Apache mod_ldap, see http://www.apachelounge.com/forum/viewtopic.php?t=1995 or download http://www.anneb.dds.nl/httpd-2.2.6_ldappatch_win32_vc6.zip Replace apache modules mod_lap.so and mod_authnz_ldap.so with the files from the downloaded zip file. This configuration allows you to add more than one repository in directory c:/subversion/repositories. All repositories are listed in the browser using URL https://svn.example.com/repos. User names and passwords are validated against Active Directory. Standard svn clients can not browse the list of repositories. Instead you should use the full path to a particular repository, for instance https://svn.example.com/repos/repo1.

9) Force users to set svn:needs-lock property on new binary files

Binary files cannot be merged. Versioning should follow the lock-modify-unlock model. You can force using this model for binary files with the following pre-commit script as part of the svn repository - create a pre-commit.cmd script in the repository\hooks directory 

@echo off
set REPOS=%1
set TRANSACTION=%2
set SVNLOOK="c:\Program Files\Subversion\apache2.2\bin\svnlook.exe"
set TEMP=c:\temp

if exist %TEMP%\tempfile%2 del %TEMP%\tempfile%2
for /f "tokens=1,2 usebackq" %%i in (`%SVNLOOK% changed -t %2 %1`) do @if %%i==A @echo %%j >> %TEMP%\tempfile%2
if not exist %TEMP%\tempfile%2 goto NOFILESADDED
for /f "usebackq" %%i in (`findstr /E /I /R "\.bmp.$ \.gif.$ \.ico.$ \.jpeg.$ \.jpg.$ \.png.$ \.tif.$ \.tiff.$ \.doc.$ \.jar.$ \.odt.$ \.pdf.$ \.ppt.$ \.swf.$ \.vsd.$ \.xls.$ \.zip.$" %TEMP%\tempfile%2`) do (
%SVNLOOK% propget -t %2 %1 svn:needs-lock %%i 1> nul 2> nul
if ERRORLEVEL 1 (
echo commit denied, binary files must have property svn:needs-lock >&2
type %TEMP%\tempfile%2 >&2
del %TEMP%\tempfile%2
EXIT /B 1
)
)
del %TEMP%\tempfile%2
:NOFILESADDED
EXIT /B 0

10) Recursively set svn:needs-lock property on binaries

If you need to apply svn:needs-lock on already existing binaries in a repository, do the following on a client (not on the svn server): - checkout a repository - add to following line to a cmd script: 

FOR /R c:\full\path\to\repository %%v in (*.bmp *.gif *.ico *.jpeg *.jpg *.png *.tif *.tiff *.doc *.jar *.odc *.odf *.odg *.odi *.odp *.ods *.odt *.pdf *.ppt *.ser *.swf *.vsd *.xls *.zip) do svn propset svn:needs-lock yes %%~fv

- run the script

11) Configure users to automatically use svn:needs-lock property on new binary files

New binary files should have the svn:needs-lock property set, this is verified by the script of step 9. This can be achieved automatically if users configure their svn client config file.

- under windows the SVN config file is "C:\Documents and Settings\[USER_NAME]\Application Data\Subversion\config"

Replace the [miscellany] and [auto-props] sections in the svn config file with the following: 

[miscellany]
enable-auto-props = yes

[auto-props]
### The format of the entries is:
###   file-name-pattern = propname[=value][;propname[=value]...]
### The file-name-pattern can contain wildcards (such as '*' and
### '?').  All entries which match will be applied to the file.
### Note that auto-props functionality must be enabled, which
### is typically done by setting the 'enable-auto-props' option.
*.apt = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.c = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.c++ = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.cpp = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.cs = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.css = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.dtd = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.ent = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.fml = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.groovy = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.h = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.h++ = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.hpp = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.html = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.idl = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.include = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.java = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.js = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.jsp = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.ldf = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.ldif = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.mak = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.mdo = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.php = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.rb = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.rtf = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.sql = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.svg = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.t2t = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.vm = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.xhtml = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.xml = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.xsd = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.xsl = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.xslt = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
Makefile = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision

*.launch = svn:eol-style=native
*.MF = svn:eol-style=native
*.properties = svn:eol-style=native
*.script = svn:eol-style=native
*.txt = svn:eol-style=native

*.dsp = svn:eol-style=CRLF
*.dsw = svn:eol-style=CRLF

*.iml = svn:eol-style=LF

*.bat = svn:eol-style=CRLF;svn:executable;svn:keywords=Author Date Id HeadURL Revision
*.cmd = svn:eol-style=CRLF;svn:executable;svn:keywords=Author Date Id HeadURL Revision

*.ksh = svn:eol-style=LF;svn:executable;svn:keywords=Author Date Id HeadURL Revision
*.sh = svn:eol-style=LF;svn:executable;svn:keywords=Author Date Id HeadURL Revision

*.pl = svn:eol-style=native;svn:executable;svn:keywords=Author Date Id HeadURL Revision
*.py = svn:eol-style=native;svn:executable;svn:keywords=Author Date Id HeadURL Revision

*.bmp = svn:mime-type=image/bmp;svn:needs-lock=*
*.gif = svn:mime-type=image/gif;svn:needs-lock=*
*.ico = svn:mime-type=image/x-icon;svn:needs-lock=*
*.jpeg = svn:mime-type=image/jpeg;svn:needs-lock=*
*.jpg = svn:mime-type=image/jpeg;svn:needs-lock=*
*.png = svn:mime-type=image/png;svn:needs-lock=*
*.tif = svn:mime-type=image/tiff;svn:needs-lock=*
*.tiff = svn:mime-type=image/tiff;svn:needs-lock=*

*.doc = svn:mime-type=application/msword;svn:needs-lock=*
*.jar = svn:mime-type=application/octet-stream;svn:needs-lock=*
*.odc = svn:mime-type=application/vnd.oasis.opendocument.chart;svn:needs-lock=*
*.odf = svn:mime-type=application/vnd.oasis.opendocument.formula;svn:needs-lock=*
*.odg = svn:mime-type=application/vnd.oasis.opendocument.graphics;svn:needs-lock=*
*.odi = svn:mime-type=application/vnd.oasis.opendocument.image;svn:needs-lock=*
*.odp = svn:mime-type=application/vnd.oasis.opendocument.presentation;svn:needs-lock=*
*.ods = svn:mime-type=application/vnd.oasis.opendocument.spreadsheet;svn:needs-lock=*
*.odt = svn:mime-type=application/vnd.oasis.opendocument.text;svn:needs-lock=*
*.pdf = svn:mime-type=application/pdf;svn:needs-lock=*
*.ppt = svn:mime-type=application/vnd.ms-powerpoint;svn:needs-lock=*
*.ser = svn:mime-type=application/octet-stream;svn:needs-lock=*
*.swf = svn:mime-type=application/x-shockwave-flash;svn:needs-lock=*
*.vsd = svn:mime-type=application/x-visio;svn:needs-lock=*
*.xls = svn:mime-type=application/vnd.ms-excel;svn:needs-lock=*
*.zip = svn:mime-type=application/zip;svn:needs-lock=*
Retrieved from "https://www.orcaware.com/svn/mediawiki/index.php?title=Subversion_configured_for_Windows_Active_Directory_HTTPS&oldid=1653"