I just finished setting up domain based authentication on our new SVN server here at work, so I thought I’d post my notes on the process and links to what you’ll need – since I found that the information was pretty disparate.
First a list of what I used, and you’ll need:
- Subversion – obviously. I used version 1.2.3
- Apache Web Server – I used version 2.0.55
- mod_auth_sspi 1.0.3 – This has always been hard to come by and there’s always been various patches of it floating around. This place is a unified attempt to bring all the patches together, and it works very well. Grab the one for the appropriate version of Apache2
I will assume that you’ve already installed both Apache 2.0.55 and SVN 1.2.3. If you haven’t, please do so and then come back — the installation for both of them is very simple and will only take you a few minutes to complete.
Step 1: mod_dav and mod_dav_svn
The first step to accessing SVN via Apache is to set up WebDAV. To do this, copy
C:\Program Files\Subversion\bin\mod_dav_svn.so
to:
C:\Program Files\Apache Group\Apache2\modules
Next edit your httpd.conf file, and add the following content:
LoadModule dav_module modules/mod_dav.so LoadModule dav_svn_module modules/mod_dav_svn.so <Location /svn> DAV svn SVNParentPath "/path/to/repositories" </Location>
This example uses SVNParentPath to point to the parent folder of multiple SVN
repositories. If you set it to C:\repositories, then any directory you create under
it, such as C:\repositories\ProjectA, is accessible under the /svn URL, like so: http://localhost/svn/ProjectA.
If you only have 1 repository, or do not plan to use multiple repositories, you could use the SVNPath directive instead, and point
it directly to your SVN repository. This approach is more flexible though, and allows for expansion without
changing your configuration files.
mod_auth_sspi and mod_authz_svn
The next step is to enable domain based authentication and access control to your SVN repositories. Copy:
C:\Program Files\Subversion\bin\mod_authz_svn.so
to
C:\Program Files\Apache Group\Apache2\modules
And edit your http.conf file again to look like this:
LoadModule dav_module modules/mod_dav.so LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so LoadModule sspi_auth_module modules/mod_auth_sspi.so >Location /svn< DAV svn SVNParentPath "D:/Engineering/svn/repos" AuthName "My SVN Server" AuthType SSPI SSPIAuth On SSPIOmitDomain On SSPIAuthoritative On SSPIDomain DOMAINNAME Require valid-user AuthzSVNAccessFile "C:/repositories/svnaccess.txt" </Location>
You can see that we’ve added two modules, and several lines to our Location /svn element.
Set the SSPIDomain appropriately for the domain you want to authenticate against. SSPIOmitDomain On
allows you
to authenticate against the domain without specifying it as an explicit
prefix, you can turn that off as you like, but it’s simpler to just
leave it on.
We also specify an AuthzSVNAccessFile directive that specifies the file we store our authroization information in, which leads us to:
AuthzSVNAccessFile
The AuthzSVNAccessFile specifies a plain text file that identifies which repositories users have access to. It’s simple to set up, here’s an example:
[groups] developers=Tom,Dick,Harry,Sally,Sue managers=Bill,Jean,Marry,Bob,Dave [repositoryname:path] @developers = rw @managers = r Bill = rw
Replace repositoryname with the name of your repository, which is a subdirectory under the
path you specified in the SVNParentPath directive, and path with the path you’re
modifying, such as / for the whole repository, or /branches/Bill for a specific branch. In this example, we’ve given the group developers read write access, the
managers group read access, and explicitly given Bill read write access (he’s a manager).
Conclusion
You should now have web-based access to your SVN repository using domain based authentication! It’s a good idea at this point to further protect the repository using an SSL configuration, which I won’t cover here. I have some notes on it for an Apple platform that may be useful here – I’ll cover it explicitly for a Windows installation in another post though, hopefully sometime soon.