How to
LDAP
integrate the authentication ofSVN
. Currently, there are two ways of integration: one is to directly accessSVN
through the port, and realize the authentication through the; the other is to implement the authentication integration through the configuration of the user who accesses through the integration on the . But the only way is to follow the same server, using remote authentication is invalid.SVN
SASL
LDAP
SVN
Apache
HTTP
Apache
Apache
LDAP
SVN
LDAP
SASL
OpenLDAP
SVN
1. Using Sasl
SASL
The full name Simple Authentication and Security Layer
is a C/S
mechanism for extending schema validation capabilities.
1. Install SASL
# yum install -y *sasl*
2. Configuration file modification
# vim /etc/sysconfig/saslauthd
......
MECH=ldap # 只修改这一行
......
# vim /etc/saslauthd.conf # 不存在则新建
servers: ldap://10.10.1.25
ldap_bind_dn: cn=admin,dc=qualitysphere,dc=github,dc=io
ldap_bind_pw: 123456
ldap_search_base: dc=qualitysphere,dc=github,dc=io
ldap_filter: uid=%U
ldap_password_attr: userPassword
# vim /etc/sasl2/svn.conf # 没有就新建,内容如下
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
3. Account test verification
# systemctl start saslauthd
# systemctl enable saslauthd
LDAP
Account test verification
# testsaslauthd -ufeb -p123654
0: OK "Success."
4. SVN configuration modification
- Modify
svn
library configuration
Through svnadmin
the created svn
library, there will be a configuration file conf
under svnserver.conf
, modify this configuration file and use-sasl=true
open it
# cat /data/svnserver/test/conf/svnserve.conf
[general]
anon-access = none
auth-access = write
password-db = passwd
authz-db = authz
[sasl]
use-sasl = true ## 添加这一行配置即可
After authentication is enabled LDAP
, the original user password configuration file passwd的
will become invalid, but permission control is still authz
configured in the file.
- Restart
svn
usingLDAP
account authentication test
2. Use Apache integration
SVN
Scenarios for Apache
proxy access via . HTTP
In this scenario, SVN
the access is passed HTTP
and then Apache
authenticated by , so it is only necessary to Apache
integrate LDAP
the authentication on to realize the authentication SVN
of LDAP
.
1. Install HTTP
# yum -y install httpd mod_dav_svn
2. Configuration file modification
Where /data/svnserver
is the root directory of the library file, and the library created undersvn
is the command to start. for an item under ./data/svnserver
svn
svnserve -d -r /data/svnserver
svn
test
/data/svnserver
1. HTTP protocol configuration
Use HTTP
the protocol to access, use HTTP
the account password to access, this configuration is not LDAP
integrated with .
- Create
HTTP
an account and log in laterSVN
Use this account to authenticate and log in:
# htpasswd -m /etc/svn/svnusers.conf feb
- HTTP configuration
cat /etc/httpd/conf.d/subversion.conf
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<Location /repos>
DAV svn
SVNParentPath /data/svnserver
#<LimitExcept GET PROPFIND OPTIONS REPORT>
AuthType Basic
AuthName "Authorization Realm"
AuthUserFile /etc/svn/svnusers.conf
AuthzSVNAccessFile /data/svnserver/test/conf/authz
Require valid-user
#</LimitExcept>
</Location>
2. LDAP integration configuration
# vim /etc/httpd/conf.d/subversion.conf
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<Location /repos>
DAV svn
SVNParentPath /data/svnserver
#<LimitExcept GET PROPFIND OPTIONS REPORT>
AuthType Basic
AuthName "Subversion repository"
AuthzSVNAccessFile /data/svnserver/test/conf/authz
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://10.10.1.25:389/dc=qualitysphere,dc=github,dc=io?uid?sub?(objectclass=*)"
AuthLDAPBindDN "cn=admin,dc=qualitysphere,dc=github,dc=io"
AuthLDAPBindPassword "123456"
Require ldap-user
#</LimitExcept>
</Location>
The above configuration is that we store all the projects in a unified resource library directory, then we can use SVNParentPath
the command to specify the path to store all the projects.
Of course, it is possible that we don't want a certain project to provide such an access method. At this time, we can use to SVNPath
make separate settings for each project.
<Location /test>
DAV svn
SVNPath /data/svnserver/test # 区别在这一行
#<LimitExcept GET PROPFIND OPTIONS REPORT>
AuthType Basic
AuthName "Subversion repository"
AuthzSVNAccessFile /data/svnserver/test/conf/authz
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://10.10.1.30:389/dc=qualitysphere,dc=github,dc=io?uid?sub?(objectclass=*)"
AuthLDAPBindDN "cn=admin,dc=qualitysphere,dc=github,dc=io"
AuthLDAPBindPassword "123456"
Require ldap-user
#</LimitExcept>
</Location>
## /data/svnserver 是SVN根路径
## 使用 http://ip/test/ 地址访问就相当于直接访问了 test 项目下的资源,对比上面统一目录访问是有差别的,上面需要带 repos/ + 项目资源
After using Apache
for verification, the original files in each library conf/passwd
will not take effect, but use the specified AuthUserFile
to specify. After changing to LDAP
, LDAP
authentication will be performed by , but the authorization file will be AuthzSVNAccessFile
set by the authorization file specified by . Apache+SVN
These should have been set during configuration .
3. Test verification
3. Summary
The method of using SASL
to integrate needs to be kept on the same server LDAP
in actual verification , but it is basically deployed on separate servers in production. SVN
We can choose Apache
to integrate LDAP
the way to SVN
manage. In addition, neither of these two methods can use LDAP
the group function in , only the account password function can be used, and the permission user group needs to be SVN
configured separately in .