Subversion configured for Windows Active Directory HTTPS

From SubversionWiki
Revision as of 18:13, 7 December 2007 by Anneb (talk | contribs)
Jump to navigation Jump to search

If you want to set up a subversion server on a windows machine that recognizes users from Microsoft Active Directory and uses secure http (https) to communicate with clients you can use the following setup as a template for your configuration.

Binary files cannot be easily merged. The lock-modify-unlock versioning model seems to be the only appropriate model for these type of files. This description also includes client and server side configuration to accommodate for the lock-modify-unlock model for binary files.

Steps to follow:

1) Download and install Apache 2.2 + open SSL from www.apache.org. Do use Apache 2.2 instead of Apache 2.0 if you want to connect to Active Directory

2) Download the apache 2.2 binary compatible version of svn from http://svn.tigris.org

3) Copy all dll's and modules (.so files) from subversion/bin directory to the apache2.2 /modules directory

4) Copy an existing svn repository or create a new repository

COPY:

cd "c:\program files\subversion\bin"
svnadmin hotcopy //computer/share/subversion/repositories/repo1 c:/subversion/repositories/repo1

CREATE: 

svnadmin create c:/subversion/repositories/repo1

5) Create a authorization file: svn.authz 

### This file is an example authorization file for svnserve.
### Its format is identical to that of mod_authz_svn authorization
### files.
### As shown below each section defines authorizations for the path and
### (optional) repository specified by the section name.
### The authorizations follow. An authorization line can refer to a
### single user, to a group of users defined in a special [groups]
### section, or to anyone using the '*' wildcard.  Each definition can
### grant read ('r') access, read-write ('rw') access, or no access
### ('').
[groups]
group1 = harry,sally
group2 = romeo,julia
group3 = sally,julia

[/]
* = r
@group1 = rw

6) Create a SSL certificate

- Openssl.exe included with this version of Apache does not seem to work well on windows. In order to create a certificate, you need a well working version of openssl. For me, file Openssl-0.9.7e-Win32.zip, for instance from: http://support.etouch.net/cm/wiki/support.Downloads.wiki/1021721main_Openssl-0.9.7e-Win32.zip worked well

- run the following commands 

openssl req -config openssl.cnf -new -out svn.example.com.csr
openssl rsa -in privkey.pem -out svn.example.com.key
openssl x509 -in svn.example.com.csr -out svn.example.com.cert -req -signkey svn.example.com.key -days 1000

- copy the resulting *.cert and *.key files to the apache2.2/conf directory


7) Edit apache/conf/httpd.conf 

LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule ssl_module modules/mod_ssl.so

<VirtualHost _default_:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/svn.example.com.cert
SSLCertificateKeyFile conf/svn.example.com.key
#<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
#    SSLOptions +StdEnvVars
#</FilesMatch>
#<Directory "C:/Program Files/Apache Group/Apache2/cgi">
#    SSLOptions +StdEnvVars
#</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


#redirect /repos to /repos/
RedirectMatch ^(/repos)$ $1/

<Location /repos/>
  DAV svn
  # SVNPath c:/subversion/repositories/repo1
  SVNParentPath c:/subversion/repositories
  SVNListparentPath on
  Order allow,deny
  Allow from all
	
  AuthType Basic
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative off
  AuthName "svn.example.com"
  AuthzSVNAccessFile c:/subversion/repositories/svn.authz

  #at least one of your domain servers listens on port 3268 (besides default ldap port 389)
  #use the server that listens on port 3268 if you have more than one AD server. The service
  #on port 389 uses referrals to the other AD servers. Referrals are used anonymously. Anonymoys
  #binding will not work on most AD-servers.
  AuthLDAPURL "ldap://dc.example.nl:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)"
  #AuthLDAPURL "ldap://dc.example.nl:389/DC=example,DC=com?sAMAccountName??(objectClass=*)"
  AuthLDAPBindDN "CN=apache_bind,CN=users,DC=example,DC=com"
  AuthLDAPBindPassword [password_for_ad_user_apache_bind]
  #AuthLDAPFollowReferrals off
  
  AuthLDAPGroupAttributeIsDN on
  AuthLDAPGroupAttribute member
  SSLRequireSSL
  #require ldap-group CN=svnusers,CN=Users,DC=example,DC=com
  require valid-user
</Location>
</VirtualHost>

8) Apply ldap patch for MS-AD When a Microsoft Active Directory times out, it sends a TCP RST instad of a TCP FIN to the client. There is a workaround for this MS AD bug in Apache mod_ldap, see http://www.apachelounge.com/forum/viewtopic.php?t=1995 or download http://www.anneb.dds.nl/httpd-2.2.6_ldappatch_win32_vc6.zip Replace apache modules mod_lap.so and mod_authnz_ldap.so with the files from the downloaded zip file. This configuration allows you to add more than one repository in directory c:/subversion/repositories. All repositories are listed in the browser using URL https://svn.example.com/repos. User names and passwords are validated against Active Directory. Standard svn clients can not browse the list of repositories. Instead you should use the full path to a particular repository, for instance https://svn.example.com/repos/repo1.

9) Force users to set svn:needs-lock property on new binary files Binary files cannot be merged. Versioning should follow the lock-modify-unlock model. You can force using this model for binary files with the following pre-commit script as part of the svn repository - create a pre-commit.cmd script in the repository\hooks directory 

@echo off
set REPOS=%1
set TRANSACTION=%2
set SVNLOOK="c:\Program Files\Subversion\apache2.2\bin\svnlook.exe"
set TEMP=c:\temp

if exist %TEMP%\tempfile%2 del %TEMP%\tempfile%2
for /f "tokens=1,2 usebackq" %%i in (`%SVNLOOK% changed -t %2 %1`) do @if %%i==A @echo %%j >> %TEMP%\tempfile%2
if not exist %TEMP%\tempfile%2 goto NOFILESADDED
for /f "usebackq" %%i in (`findstr /E /I /R "\.bmp.$ \.gif.$ \.ico.$ \.jpeg.$ \.jpg.$ \.png.$ \.tif.$ \.tiff.$ \.doc.$ \.jar.$ \.odt.$ \.pdf.$ \.ppt.$ \.swf.$ \.vsd.$ \.xls.$ \.zip.$" %TEMP%\tempfile%2`) do (
%SVNLOOK% propget -t %2 %1 svn:needs-lock %%i 1> nul 2> nul
if ERRORLEVEL 1 (
echo commit denied, binary files must have property svn:needs-lock >&2
type %TEMP%\tempfile%2 >&2
del %TEMP%\tempfile%2
EXIT /B 1
)
)
del %TEMP%\tempfile%2
:NOFILESADDED
EXIT /B 0

10) Recursively set svn:needs-lock property on binaries If you need to apply svn:needs-lock on already existing binaries in a repository, do the following on a client (not on the svn server): - checkout a repository - add to following line to a cmd script: 

FOR /R c:\full\path\to\repository %%v in (*.bmp *.gif *.ico *.jpeg *.jpg *.png *.tif *.tiff *.doc *.jar *.odc *.odf *.odg *.odi *.odp *.ods *.odt *.pdf *.ppt *.ser *.swf *.vsd *.xls *.zip) do svn propset svn:needs-lock yes %%~fv

- run the script

11) Make sure that users automatically set the svn:needs-lock property on binary files (this is verified by the script of step 9) All committers should add the following to their svn client config - under windows the SVN config file is "C:\Documents and Settings\[USER_NAME]\Application Data\Subversion\config" 

[miscellany]
enable-auto-props = yes

[auto-props]
### The format of the entries is:
###   file-name-pattern = propname[=value][;propname[=value]...]
### The file-name-pattern can contain wildcards (such as '*' and
### '?').  All entries which match will be applied to the file.
### Note that auto-props functionality must be enabled, which
### is typically done by setting the 'enable-auto-props' option.
*.apt = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.c = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.c++ = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.cpp = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.cs = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.css = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.dtd = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.ent = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.fml = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.groovy = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.h = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.h++ = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.hpp = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.html = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.idl = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.include = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.java = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.js = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.jsp = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.ldf = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.ldif = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.mak = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.mdo = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.php = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.rb = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.rtf = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.sql = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.svg = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.t2t = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.vm = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.xhtml = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.xml = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.xsd = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.xsl = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
*.xslt = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision
Makefile = svn:eol-style=native;svn:keywords=Author Date Id HeadURL Revision

*.launch = svn:eol-style=native
*.MF = svn:eol-style=native
*.properties = svn:eol-style=native
*.script = svn:eol-style=native
*.txt = svn:eol-style=native

*.dsp = svn:eol-style=CRLF
*.dsw = svn:eol-style=CRLF

*.iml = svn:eol-style=LF

*.bat = svn:eol-style=CRLF;svn:executable;svn:keywords=Author Date Id HeadURL Revision
*.cmd = svn:eol-style=CRLF;svn:executable;svn:keywords=Author Date Id HeadURL Revision

*.ksh = svn:eol-style=LF;svn:executable;svn:keywords=Author Date Id HeadURL Revision
*.sh = svn:eol-style=LF;svn:executable;svn:keywords=Author Date Id HeadURL Revision

*.pl = svn:eol-style=native;svn:executable;svn:keywords=Author Date Id HeadURL Revision
*.py = svn:eol-style=native;svn:executable;svn:keywords=Author Date Id HeadURL Revision

*.bmp = svn:mime-type=image/bmp;svn:needs-lock=*
*.gif = svn:mime-type=image/gif;svn:needs-lock=*
*.ico = svn:mime-type=image/x-icon;svn:needs-lock=*
*.jpeg = svn:mime-type=image/jpeg;svn:needs-lock=*
*.jpg = svn:mime-type=image/jpeg;svn:needs-lock=*
*.png = svn:mime-type=image/png;svn:needs-lock=*
*.tif = svn:mime-type=image/tiff;svn:needs-lock=*
*.tiff = svn:mime-type=image/tiff;svn:needs-lock=*

*.doc = svn:mime-type=application/msword;svn:needs-lock=*
*.jar = svn:mime-type=application/octet-stream;svn:needs-lock=*
*.odc = svn:mime-type=application/vnd.oasis.opendocument.chart;svn:needs-lock=*
*.odf = svn:mime-type=application/vnd.oasis.opendocument.formula;svn:needs-lock=*
*.odg = svn:mime-type=application/vnd.oasis.opendocument.graphics;svn:needs-lock=*
*.odi = svn:mime-type=application/vnd.oasis.opendocument.image;svn:needs-lock=*
*.odp = svn:mime-type=application/vnd.oasis.opendocument.presentation;svn:needs-lock=*
*.ods = svn:mime-type=application/vnd.oasis.opendocument.spreadsheet;svn:needs-lock=*
*.odt = svn:mime-type=application/vnd.oasis.opendocument.text;svn:needs-lock=*
*.pdf = svn:mime-type=application/pdf;svn:needs-lock=*
*.ppt = svn:mime-type=application/vnd.ms-powerpoint;svn:needs-lock=*
*.ser = svn:mime-type=application/octet-stream;svn:needs-lock=*
*.swf = svn:mime-type=application/x-shockwave-flash;svn:needs-lock=*
*.vsd = svn:mime-type=application/x-visio;svn:needs-lock=*
*.xls = svn:mime-type=application/vnd.ms-excel;svn:needs-lock=*
*.zip = svn:mime-type=application/zip;svn:needs-lock=*
Retrieved from "https://www.orcaware.com/svn/mediawiki/index.php?title=Subversion_configured_for_Windows_Active_Directory_HTTPS&oldid=1652"