Web publishing system with Apache and Subversion – part 2
If you read the first part of this post, you probably know by now how to install and configure a web publishing system using only Apache and Subversion. But your system will miss one of the most important thing: authentication. So let’s get started and tackle this.
We kept all the Apache configuration settings related to Subversion and the website in the file
<apache-dir>/conf/extra/wps.conf and further on we will modify this file.
Remember the below section located either in the main server or in a virtual one section?
<Location /svn > DAV svn SVNParentPath /wps/svnrepo SVNListParentPath On </Location>
We will modify this one to add authentication and authorization.
<Location /svn > DAV svn SVNParentPath /wps/svnrepo SVNListParentPath On AuthType basic AuthName "SVN repository" AuthUserFile /wps/passwd Require valid-user </Location>
The user database will be kept in the plain text file
/wps/passwd. To add or modify users you can use the
htpasswd utility. So let’s add a developer account:
htpasswd -c /wps/passwd developer
You will be prompted for the password. Later on you can change it with:
htpasswd /wps/passwd developer
There are also some other ways to authenticate users, by keeping the users in a database file or using LDAP. You have to specify the authentication provider and use the specific module settings:
You can also use Windows domain authentication, but this will require just a little bit more work from your side. Anyway this may come in handy in some big organizations, where you don’t want to create special accounts only for this and enable users to use their usual Windows logon credentials.
First of all you have to download the SSPI authentication module and copy it to
<apache-dir>/modules. Then add the following line at the beginning of
LoadModule sspi_auth_module modules/mod_auth_sspi.so
and the below lines to the
Location section corresponding to the SVN repository:
AuthName "Windows Authentication" AuthType SSPI SSPIAuth On SSPIAuthoritative On # set the domain to authorize against SSPIDomain your.windows.domain # keep domain name in userid string SSPIOmitDomain On SSPIUsernameCase lower SSPIOfferBasic On # basic authentication shouldn't # have higher priority SSPIBasicPreferred Off Require valid-user
Now lets’ discuss in a little bit more in detail the above configuration settings:
SSPIAuth– this will turn on/off the Windows authentication module
SSPIAuthoritative– this will turn on/off if the the Windows authentication is mandatory or if other modules can be used as a fallback
SSPIDomain– the IP address or name of your windows domain controller against which the authentication is run
SSPIOmitDomain– if it is On then the domain name is omitted from the user name; so if the user is
DOMAIN\user, the user name for Apache and Subversion will actually be
SSPIUsernameCase– tells how the user name letter cases are converted. The possible values are
upper. If this is not specify then no conversion is made. If you specify
lower(recommended) then the user name
DOMAIN\Userwill be transformed to
domain\user(if you also specify
SSPIOmitDomain On, then the name will become
SSPIOfferBasic– SSPI by default uses NTLM, a Microsoft proprietary protocol which only IE (and other Windows components/application) understand, so they are able to authenticate you automatically. If you set
SSPIOfferBasic Onmeans that it is still authenticating against your Windows domain on the backend, but when it asks the client for a password, it does so using standard HTTP Basic authentication. So if you plan to use other clients to your Subversion repository than IE you must set this on and the client then will prompt you for the domain name and password. This is definately needed if you use TortoiseSVN.
SSPIBasicPreferred– if it is On then basic authentication will have higher priority
The authentication possibilities are endless and are depending only on your imagination and needs. I was focusing on these two types as they will probably appear more often: basic in a low or mid-size company and Windows authentication can be smoothly integrated in a big company infrastructure with Windows desktops for the big part of users.
Authorization, setting up a second repository and conclusions will follow soon.