available here:
Subversion with
Apache and LDAP: Updated
More and more companies are using directory services for housing their user credentials and information. Example directory services are Active Directory, eDirectory and OpenLDAP. How does this relate to Subversion? Well, in the enterprise deployments I’ve been involved with, most clients wanted to harness their existing directory services for their Subversion authentication. This blog post will explain the simplicity of hooking up Apache to your directory service using mod_auth_ldap, giving you the ability to authenticate against your existing user data store.
As of now, the only way to utilize your directory service for authentication is by using Apache as your network layer. This allows you to use any of the available authentication options to Apache for your Subversion authentication and with mod_auth_ldap, Apache can authenticate against your directory service for Subversion.
Before we get started modifying our Apache configuration file, lets look at the simplest Location directive possible for exposing a Subversion repository via Apache:
<Location /repos>
# Enable Subversion
DAV svn
# Directory containing all repository for this path
SVNParentPath /absolute/path/to/directory/containing/your/repositories
</Location>
Now lets modify this to add mod_auth_ldap support for the authentication portion of the Location directive above:
<Location /repos>
# Enable Subversion
DAV svn
# Directory containing all repository for this path
SVNParentPath /absolute/path/to/directory/containing/your/repositories
# LDAP Authentication & Authorization is final; do not check other databases
AuthLDAPAuthoritative on
# Do basic password authentication in the clear
AuthType Basic
# The name of the protected area or "realm"
AuthName "Your Subversion Repository"
# Active Directory requires an authenticating DN to access records
# This is the DN used to bind to the directory service
# This is an Active Directory user account
AuthLDAPBindDN "CN=someuser,CN=Users,DC=your,DC=domain"
# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword somepassword
# The LDAP query URL
# Format: scheme://host:port/basedn?attribute?scope?filter
# The URL below will search for all objects recursively below the basedn
# and validate against the sAMAccountName attribute
AuthLDAPURL "ldap://your.domain:389/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"
# Require authentication for this Location
Require valid-user
</Location>
Use the in-line comments in the code above to better understand the Apache configuration directives for mod_auth_ldap. With the above example (which you need to modify for your environment) you can have Apache authenticate your Subversion users against your Active Directory directory service. The above will also work for other directory services but with minor modifications in the AuthLDAPURL. For more information, you can consult the mod_auth_ldap documentation linked to in the first paragraph. Although this post is short, I hope it adds value to those who read it.