Search This Blog

Wednesday, January 23, 2013

Setup Collabnet Subversion Edge Server using an existing SVN repository and using LDAP to Authenticate against Windows Domain.

Recently had to setup an SVN server, this svn server was to house an existing svn repository housed on another server. The authentication on this server was setup with the file method.

As part of the move we wanted to utilise the domain resources as we tried to consolidate user management across our applications.

So we chose the latest version of Collabnets Subversion Edge Server 3.2.2 (x64) to run on a Windows 2008 R2 server.

The R2 server was a clean server, with no IIS installed, therefore the setup of apache, which subversion edge relies upon would be less of a pain (no port changes Smile).

OK, so we ran the installer for Subversion Edge, which was painless, it detected that Java was not installed on the server and it installed Java. It then installed the Subversion Edge server product.

On completion of installation we just left the tick boxes checked that fired up administration portal. By default this will be http://localhost:3343/, the default login is admin with password admin (this can be easily changed).

The repository itself was just copied over from the source server (running svn 1.5), into a folder on the new server using windows explorer. Nothing fancy, no svn dumps etc…

Once logged in you are presented a simple interface, with the status of the apache server given right in the centre. If it is stopped, there is a start button and vice versa.

Under configuration on the right, I went into server settings and added the location of the svn repositories and dump folders. I changed the repository setting to match the location we moved the repository into and the dump folder

D:\SVN\Repositories

D:\SVN\Dumps

I saved these settings, and then went to Repositories, which is on the menu at the top of the page. Here I clicked discover and the repository I copied over appeared in the list.

Ok, so by default you should now have anonymous access to the repository, this is a good spot to check things are working as expected. You can get to the repository from other machines.

Subversion Edge Server runs apache, and it uses http protocol for the client server connection protocol. It does not setup svnserve.exe (although this executable is installed in the csvn folder and can be configured if you want), which means that the svn:// URLs cannot be used in a standard setup, you will therefor be using http URLs. In the repository list, mentioned above, it gives you an example svn client checkout command, which includes the http URL to the repository. The command will look something like below.

svn checkout http://<hostname.domain>/svn/<SVN_REPOSITORY_NAME> <Physical Folder Name to checkout into> --username=admin

This initial process was pretty painless as far as I was concerned, now we came to the LDAP setup. I have only had to use LDAP very sparsely in the past so terminology was vaguely familiar but I found the documentation very limited, in helping you understand what to put into each of the boxes on the authentication page.

So lets go to the authentication page (under configuration menu header on the administration section, in the admin portal )

Now it has to be said, I am far from an expert in any of this, and if you need to add encrypted connectivity to the LDAP – Domain communications then you will have to find that on your own, for our purpose unencrypted comms is fine.

So I will go through each of the settings on that page and try to explain my understanding. Following that I will list out the settings I used (with something's changed for security :o) )

Anonymous Access: Allow read access to anonymous users.

Ok, pretty self explanatory if you want to allow anonymous users to be able to read the repository then check this.

Convert Usernames to Lower Case: Convert usernames to lower case for access rules.

Now I believe that this is good for when you want to start apply rules to control repository access. I have this checked.

Authentication Methods: Local authentication against an htpasswd file along with other providers.
Authentication Methods: LDAP authentication against an LDAP server:

So again, pretty straight forward, first one is to use the old method and a local file. second option is to use LDAP. You can use both, and I think it checks the file and then LDAP. In our case I just want LDAP so htpasswd is unchecked.

LDAP Security Level: None

Ok, now this can be changed to secure the LDAP comms from client to server, I didnot set this so I can’t tell you what needs to be done.

LDAP Server Host: <domain>

So here we come to some juicy bits, now here you can specify one dc directly, and if you do that it will affect the port you use (next option). However assuming you have a modern windows domain with multiple DCs then you probably just want to set this to the domain, so it can use any dc running LDAP.

i.e. if your fully qualified server name was something like server1.domain.com, then you would place domain.com in this setting.

LDAP Server Port: 3268

Hint: try 3268 for Active Directory servers

OK, I think initially this was set to 389 port, which is the correct setting if you want to just use a single LDAP server (see LDAP server Host above). However if you want to utilise the functionality of any of the dcs in the domain then set this to 3268.

LDAP Base DN: CN=Users,DC=domain,DC=com

Example: OU=Users,DC=xxx,DC=yyy,DC=domain,DC=com

Now this setting will depend on how you have your Active directory configured. But a default AD setup will have Users in an CN called Users. What we are setting here is the location subversion Edge will query when looking for users.

A good tool to get DNs (Distinguished Names) from your active directory is ADSIEdit (comes with windows). You can browse to the item, right click properties on it and then look for Distingusihed Name, you can then copy it out.

LDAP Bind DN: CN=<svnLDAPQueryUserName>,CN=Users,DC=domain,DC=com

Now this setting is specifying the user that Subversion will impersonate when sending the query to the LDAP server. Now you can setup a specific user for this purpose and assign the necessary rights to the user to query the directory, so we don’t have to use some form of administrative account. So in Active Directory create the user and password that you want to use for this purpose. Now on the OU you want to query (in the default case this will be Users), right click the client and select Delegate Control, this will start a wizard.

In this wizard select the user/groups you want to delegate to, then in delegate the following common tasks select “Read All User Information”. This will allow us to use this user.

LDAP Bind Password: <password>

BindDN and Password are only needed if anonymous binding is not supported.

Password of the user we created above. :o)

LDAP Login Attribute: samAccountName

The default attribute is 'uid'. Hint: use samAccountName for Active Directory

Set this to samAccountname to ensure that Subversion is loking for the usernames in the correct attributes.

LDAP Search Scope: Sub

Now this will tie in with the LDAP Base DN setting earlier. we are just telling subversion whether to recurse through sub OUs or stay in the OU.

LDAP Filter: objectClass=user

As we will be authenticating user, it makes sense to try and speed up the searching by starting we are looking for users so thats what we do here.

LDAP Server Certificate Verification: <checked>

Verify the certificate of the LDAP server.

I am afraid I don’t know what this does, but I left it checked.

Console LDAP Authentication: <unchecked>

Allow LDAP users to access the management console

Now I unchecked this, to stop them trying to access the admin console (it will allow them a limited set of usability to browse the repository in a web page). This is up to you but for me this was not needed, the developers use tortoisesvn which has a browser.

Console LDAP Authentication Helper Port: 49156

Used to facilitate LDAP authentication to the console with the above settings. Normally, no change is needed here.

Left this one as default. 49156, not sure what it does…. :o)

Ok, and that was it. Saved these settings and then tried to use a windows account. And for me this worked. You don’t need to specify a domain, with the username just the username.

image

image

OK, that was it, but in this current setup any user that can authenticate to the windows domain could access the repository and potentially reek havoc.. ;o)

So how to limit access… This is achieved by changing the access rules in the subversion Edge admin portal.

By default the access rules section, found under the repositories top menu item, will be set to

[/]
* = rw



This is telling subversion that everything from the root level down ([/]), is available to all (*) with read and write access (rw)


Ok, so lets remove access to everyone



[/] 
* =



OK, so now lets add access to our repository




[SVN_REPOSITORY_NAME:/]
windowsusername1=rw
windowsusername2=rw
windowsusername3=r



So here we are saying these rules apply just to our repository at the root level[SVN_REPOSITORY_NAME:/]. You can add more granular control to subsections of the repository by specifying headers like


[SVN_REPOSITORY_NAME:/subsection1/]. 


But in our case we apply at the root level and everything inherits down. Then we are listing the windows usernames with the access we want. user1 and user2 have read access, whilst user3 has only read access.


And that's all folks…. I hope….

Share/Bookmark

2 comments:

  1. Hi Allan,

    That was very informative, thanks for the write-up. Just have a query which I hope to get clarified by you. We use Collabnet Subversion (version1.6.6) that runs with SVNSERVE as a windows service (No IIS / Apache) with simple password authentication (passwd file).

    I want to retain the existing repository on a network share with all it's checkin / checkout history and just upgrade the Subversion to any latest version and also implement LDAP authentication.

    Going by this link (https://ctf.open.collab.net/sf/wiki/do/viewPage/projects.svnedge/wiki/MigrationPath#section-MigrationPath-InstructionsForMigratingFromExistingSubversionInstallation), SVNSERVE is not supported by Edge.

    Is there any other means by which I can accomplish this task? Any pointers would be of great help. Thanks.

    Karthik

    ReplyDelete
    Replies
    1. HI Karthik, I am afraid I am far from an expert in all of this. We no longer use SVNSERVE. You could try doing a blank install of SVN, setup your svnserver etc, and then add the repository in the admin(you could copy the repository folder incase something goes wrong). Its been a while since I touched this but I think you can do this... Just amke sure you have a backup... :o)

      Delete