[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SVN & Win32

From: Andrej Ota <andrej.ota_at_siol.si>
Date: 2004-12-10 19:23:18 CET


> Has anybody succeeded setting up svn in a microsoftized environment
> (i.e. Apache Win32 with LDAP authentication against some Win32 domain
> controller and DAV/mod_dav_svn for repository access?)

Yes, and it works OK so far.

> "Tried, but not succeeded" would be a helpful answer, too.

I'll try to be a little more helpful. On the server side I have
installed latest versions of Apache2 and Subversion. After install I
created directory that will be root for all (most?) of my repositories.
I have added the following snippet in httpd.conf (sanitized for obvious
LoadModule ldap_module modules/util_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so

LoadModule dav_svn_module "X:/SVN/httpd/mod_dav_svn.so"
LoadModule authz_svn_module "X:/SVN/httpd/mod_authz_svn.so"

<Location />
  DAV svn
  SVNParentPath X:/SVNRoot

  AuthLDAPAuthoritative on
  AuthType Basic
  AuthLDAPBindDN cn=DirectoryBrowserUser,dc=company,dc=loc
  AuthLDAPBindPassword verysecretpassword

  AuthType Basic
  AuthName "SVN Source Code"

  Require valid-user
  Require group cn=Domain Users,ou=Users,dc=company,dc=loc

   Require group cn=Programmers,ou=Users,dc=company,dc=loc

"X:/SVNRoot" is root directory for all SVN repositories.
"X:/SVN" is directory that SVN was installed in.

"AuthLDAPBindDN" is name of user that is used probably used to enumerate
accounts and check group membership of users trying to login. It has to
be domain username and you have to use LDAP notation when specifying it

1st "Require group" is used for blanket permission for all domain users
to browse code repository. Group name must be in LDAP notation.

"LimitExcept" section is used to add exceptions to blanket rule. In my
case I have added 2nd "Require group" statement that enables members of
Programmers group to have full DAV access to all repositories.

Other than that, I have used SSL to hide passwords that are transmited
on the network. Password for AuthLDAPBindDN user is in clear text which
is obviously a security risk. In my case I have mitigated it with moving
this user from default "Domain Users" group to "Domain Guests" group
which in combination with no local (console, file share, RDP, ...)
access to server for non-SVN-Administrators who already know the
password probably suffices.

I make no guarantees of validity or security of this setup, but I can
say that 'It Just Works(TM)' for me, so yes: it is possible to have
Windows only setup for SVN.

Greets, Toshio.

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Dec 10 19:35:13 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.