SVNThere are many kinds of management tools, such asSVNAdmin2.0, ,svnWebUIand , these two interface UIs are more beautiful, but currentlyLDAPonlyiF.SVNAdmintools are integrated with , this article explains how to useiF.SVNAdmintoolsLDAPin an environment.
Preface: Introduction to the Environment
| software | Version |
|---|---|
| CentOS | 7.6 |
| SVN | 1.7.14 |
| HTTPD | 2.4.6-97 |
| PHP | 5.4.16 |
| SVNAdmin | 1.6.2 |
1. iF.SVNAdmin
Current environment SVNThe server has been installed, and the path is /data/svn.
1, iF.SVNAdmin Department
# yum install httpd subversion php php-ldap mod_ldap php-json php-xml php-pdo mod_ssl mod_dav_svn -y
# cd /usr/src && wget https://udomain.dl.sourceforge.net/project/ifsvnadmin/svnadmin-1.6.2.zip --no-check-certificate
# unzip svnadmin-1.6.2.zip
# mv svnadmin-1.6.2 /vaw/www/html/
# chmod -R 777 /var/www/html/svnadmin/data/
# chown -R apache:apache /var/www/html/svnadmin/
# chown -R apache:apache /data/svn/
# systemctl enable httpd
# systemctl start httpd
2, iF.SVNAdmin deployment
1. Web interface initialization configuration
Enter in the browser http://10.10.1.30:8085/svnadmin/to initialize the configuration. I am currently HTTPchanging the listening port of to 8085.
2. LDAP configuration
3. LDAP user and group permission settings
3.1 Add access path
3.2 Add access project permissions to users or groups
3.3 Cancel the user's access to the project
4. Role division of iF.SVNAdmin
When we enable , remember to set super administrator privileges LDAPfor at least one user to prevent the initial admin account from being unable to log in again when logging out. You can set the permission to log in to the management system for the user. There may be two roles we commonly use, a super administrator and an access path administrator. An access path administrator is a role that grants users access to a project.LDAP
iF.SVNAdminLDAP
Two, SVN configuration LDAP authentication
SVNScenarios for Apacheproxy access via . HTTPIn this scenario, SVNthe access is passed HTTPand then Apacheauthenticated by , so it is only necessary to Apacheintegrate LDAPthe authentication on to realize the authentication SVNof LDAP.
1. Apache configuration
# cat /etc/httpd/conf.d/subversion.conf
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_user_module moduels/mod_authz_user.so
<Location /repos>
DAV svn
SVNParentPath /data/svn
#<LimitExcept GET PROPFIND OPTIONS REPORT>
AuthType Basic
AuthName "Subversion repository"
AuthzSVNAccessFile /data/svn/test/conf/authz
AuthBasicProvider ldap
#AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://10.10.1.30:389/dc=qualitysphere,dc=github,dc=io?uid?sub?(objectclass=*)"
AuthLDAPBindDN "cn=admin,dc=qualitysphere,dc=github,dc=io"
AuthLDAPBindPassword "123456"
Require ldap-user
#</LimitExcept>
</Location>
2. Test verification
3. Summary
LDAPOnce synchronized, the original local accounts and groups will be cleared, leaving onlyLDAPthe users or groups in . Even if you directlyauthadd other user access rights in the file and thensvnaccess it through the protocol, as long as you synchronize, these configurations will be cleaned up.iF.SVNAdminThe authority control is not detailed enough. The administrator of the current access path can set the access authority of all projects. Normally, we want to authorize a certain user to manage a certain project, so that it is convenient to authorize the project leader to control the authority of the project.- If your LDAP database has more than 1000 users and groups, but you only receive 1001 entities, you need to update your PHP version to 5.4. Previous PHP versions did not support fetching more than 1001 entities from an LDAP server.
Reference:
https://blog.csdn.net/qq_25854057/article/details/125296480
http://svnadmin.insanefactory.com/documentation/#ldap