Home > Software, Web > Web publishing system with Apache and Subversion – part 2

Web publishing system with Apache and Subversion – part 2


If you read the first part of this post, you probably know by now how to install and configure a web publishing system using only Apache and Subversion. But your system will miss one of the most important thing: authentication. So let’s get started and tackle this.


Authentication


We kept all the Apache configuration settings related to Subversion and the website in the file <apache-dir>/conf/extra/wps.conf and further on we will modify this file.
Remember the below section located either in the main server or in a virtual one section?

<Location /svn >

    DAV svn
    SVNParentPath /wps/svnrepo
    SVNListParentPath On

</Location>

We will modify this one to add authentication and authorization.

<Location /svn >

    DAV svn
    SVNParentPath /wps/svnrepo
    SVNListParentPath On

    AuthType basic
    AuthName "SVN repository"
    AuthUserFile /wps/passwd
    Require valid-user

</Location>

The user database will be kept in the plain text file /wps/passwd. To add or modify users you can use the htpasswd utility. So let’s add a developer account:


htpasswd -c /wps/passwd developer

You will be prompted for the password. Later on you can change it with:


htpasswd /wps/passwd developer

.

There are also some other ways to authenticate users, by keeping the users in a database file or using LDAP. You have to specify the authentication provider and use the specific module settings: mod_authn_file, mod_authn_dbm,
mod_authn_dbd,
and mod_authnz_ldap.


Windows authentication


You can also use Windows domain authentication, but this will require just a little bit more work from your side. Anyway this may come in handy in some big organizations, where you don’t want to create special accounts only for this and enable users to use their usual Windows logon credentials.

First of all you have to download the SSPI authentication module and copy it to <apache-dir>/modules. Then add the following line at the beginning of <apache-dir>/conf/extra/wps.conf:

LoadModule sspi_auth_module modules/mod_auth_sspi.so

and the below lines to the Location section corresponding to the SVN repository:

    AuthName "Windows Authentication"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    # set the domain to authorize against
    SSPIDomain your.windows.domain
    # keep domain name in userid string
    SSPIOmitDomain On 
    SSPIUsernameCase lower
    SSPIOfferBasic On 
    # basic authentication shouldn't 
    # have higher priority
    SSPIBasicPreferred Off 

    Require valid-user

Now lets’ discuss in a little bit more in detail the above configuration settings:

  • SSPIAuth – this will turn on/off the Windows authentication module
  • SSPIAuthoritative – this will turn on/off if the the Windows authentication is mandatory or if other modules can be used as a fallback
  • SSPIDomain – the IP address or name of your windows domain controller against which the authentication is run
  • SSPIOmitDomain – if it is On then the domain name is omitted from the user name; so if the user is DOMAIN\user, the user name for Apache and Subversion will actually be user and not DOMAIN\user.
  • SSPIUsernameCase – tells how the user name letter cases are converted. The possible values are lower and upper. If this is not specify then no conversion is made. If you specify lower (recommended) then the user name DOMAIN\User will be transformed to domain\user (if you also specify SSPIOmitDomain On, then the name will become user)
  • SSPIOfferBasic – SSPI by default uses NTLM, a Microsoft proprietary protocol which only IE (and other Windows components/application) understand, so they are able to authenticate you automatically. If you set SSPIOfferBasic On means that it is still authenticating against your Windows domain on the backend, but when it asks the client for a password, it does so using standard HTTP Basic authentication. So if you plan to use other clients to your Subversion repository than IE you must set this on and the client then will prompt you for the domain name and password. This is definately needed if you use TortoiseSVN.
  • SSPIBasicPreferred – if it is On then basic authentication will have higher priority

The authentication possibilities are endless and are depending only on your imagination and needs. I was focusing on these two types as they will probably appear more often: basic in a low or mid-size company and Windows authentication can be smoothly integrated in a big company infrastructure with Windows desktops for the big part of users.

Authorization, setting up a second repository and conclusions will follow soon.

Part 1Part 3

Download configuration files.

  1. mozey
    November 30, 2007 at 3:30 pm

    You know how for EVERY TECKY there are few topics that we JUST ARE AFRAID to look at!?!?!, for a while it was CSS to me (though my PHP is impregnable), and then, then it was kickstart, and NOW its dav!, i dont understand it, i have no idea what it does!, i know its KIND OF version controle but not really!, one of these long saturday mornings, i’ll be all over it.

  2. November 30, 2007 at 10:37 pm

    Usually when I need to understand the basics of something I refer to Wikipedia. Now it also seems a good time to do this, so you can take a look here.
    If you want to use Subversion (which I totally recommend – and I used before CVS, StarTeam, SourceSafe) the best resource to read is the SVN book.

  3. August 27, 2015 at 3:33 am

    artikel menarik , Afra

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: