SVN integrated LDAP authentication

How to LDAPintegrate the authentication of SVN. Currently, there are two ways of integration: one is to directly access SVNthrough the port, and realize the authentication through the; the other is to implement the authentication integration through the configuration of the user who accesses through the integration on the . But the only way is to follow the same server, using remote authentication is invalid.SVNSASLLDAPSVNApacheHTTPApacheApacheLDAPSVNLDAPSASLOpenLDAPSVN

1. Using Sasl

SASLThe full name Simple Authentication and Security Layeris a C/Smechanism for extending schema validation capabilities.

1. Install SASL

# yum install -y *sasl*

2. Configuration file modification

# vim /etc/sysconfig/saslauthd
......
MECH=ldap              # 只修改这一行
......

# vim /etc/saslauthd.conf  # 不存在则新建
servers: ldap://10.10.1.25
ldap_bind_dn: cn=admin,dc=qualitysphere,dc=github,dc=io
ldap_bind_pw: 123456
ldap_search_base: dc=qualitysphere,dc=github,dc=io
ldap_filter: uid=%U 
ldap_password_attr: userPassword

# vim /etc/sasl2/svn.conf   # 没有就新建，内容如下
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

3. Account test verification

# systemctl start saslauthd
# systemctl enable saslauthd

LDAPAccount test verification

# testsaslauthd -ufeb -p123654
0: OK "Success."

4. SVN configuration modification

• Modify svnlibrary configuration

Through svnadminthe created svnlibrary, there will be a configuration file confunder svnserver.conf, modify this configuration file and use-sasl=trueopen it

# cat /data/svnserver/test/conf/svnserve.conf 
[general]
anon-access = none
auth-access = write
password-db = passwd
authz-db = authz
[sasl]
use-sasl = true    ## 添加这一行配置即可

After authentication is enabled LDAP, the original user password configuration file passwd的will become invalid, but permission control is still authzconfigured in the file.

• Restart svnusing LDAPaccount authentication test

2. Use Apache integration

SVNScenarios for Apacheproxy access via . HTTPIn this scenario, SVNthe access is passed HTTPand then Apacheauthenticated by , so it is only necessary to Apacheintegrate LDAPthe authentication on to realize the authentication SVNof LDAP.

1. Install HTTP

# yum -y install httpd mod_dav_svn

2. Configuration file modification

Where /data/svnserveris the root directory of the library file, and the library created undersvn is the command to start. for an item under ./data/svnserversvnsvnserve -d -r /data/svnserversvntest/data/svnserver

1. HTTP protocol configuration

Use HTTPthe protocol to access, use HTTPthe account password to access, this configuration is not LDAPintegrated with .

• Create HTTPan account and log in later SVNUse this account to authenticate and log in:

# htpasswd -m /etc/svn/svnusers.conf feb

• HTTP configuration

cat /etc/httpd/conf.d/subversion.conf

LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so

<Location /repos>
   DAV svn
   SVNParentPath /data/svnserver

   #<LimitExcept GET PROPFIND OPTIONS REPORT>
      AuthType Basic
      AuthName "Authorization Realm"
      AuthUserFile /etc/svn/svnusers.conf
      AuthzSVNAccessFile /data/svnserver/test/conf/authz
      Require valid-user
   #</LimitExcept>
</Location>

2. LDAP integration configuration

# vim /etc/httpd/conf.d/subversion.conf

LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so

<Location /repos>
   DAV svn
   SVNParentPath /data/svnserver

   #<LimitExcept GET PROPFIND OPTIONS REPORT>
      AuthType Basic
      AuthName "Subversion repository"
      AuthzSVNAccessFile /data/svnserver/test/conf/authz
      AuthBasicProvider ldap 
      AuthzLDAPAuthoritative on 
      AuthLDAPURL "ldap://10.10.1.25:389/dc=qualitysphere,dc=github,dc=io?uid?sub?(objectclass=*)"
      AuthLDAPBindDN "cn=admin,dc=qualitysphere,dc=github,dc=io"
      AuthLDAPBindPassword "123456"
 
      Require ldap-user
   #</LimitExcept>
</Location>

The above configuration is that we store all the projects in a unified resource library directory, then we can use SVNParentPaththe command to specify the path to store all the projects.

Of course, it is possible that we don't want a certain project to provide such an access method. At this time, we can use to SVNPathmake separate settings for each project.

<Location /test>
   DAV svn
   SVNPath /data/svnserver/test               # 区别在这一行

   #<LimitExcept GET PROPFIND OPTIONS REPORT>
      AuthType Basic
      AuthName "Subversion repository"
      AuthzSVNAccessFile /data/svnserver/test/conf/authz
      AuthBasicProvider ldap 
      AuthzLDAPAuthoritative on 
      AuthLDAPURL "ldap://10.10.1.30:389/dc=qualitysphere,dc=github,dc=io?uid?sub?(objectclass=*)"
      AuthLDAPBindDN "cn=admin,dc=qualitysphere,dc=github,dc=io"
      AuthLDAPBindPassword "123456"
 
      Require ldap-user
   #</LimitExcept>
</Location>

## /data/svnserver 是SVN根路径
## 使用 http://ip/test/ 地址访问就相当于直接访问了 test 项目下的资源，对比上面统一目录访问是有差别的，上面需要带 repos/ + 项目资源

After using Apachefor verification, the original files in each library conf/passwdwill not take effect, but use the specified AuthUserFileto specify. After changing to LDAP, LDAPauthentication will be performed by , but the authorization file will be AuthzSVNAccessFileset by the authorization file specified by . Apache+SVNThese should have been set during configuration .

3. Test verification

3. Summary

  The method of using SASLto integrate needs to be kept on the same server LDAPin actual verification , but it is basically deployed on separate servers in production. SVNWe can choose Apacheto integrate LDAPthe way to SVNmanage. In addition, neither of these two methods can use LDAPthe group function in , only the account password function can be used, and the permission user group needs to be SVNconfigured separately in .