Hi!
> Has anybody succeeded setting up svn in a microsoftized environment
> (i.e. Apache Win32 with LDAP authentication against some Win32 domain
> controller and DAV/mod_dav_svn for repository access?)
Yes, and it works OK so far.
> "Tried, but not succeeded" would be a helpful answer, too.
I'll try to be a little more helpful. On the server side I have
installed latest versions of Apache2 and Subversion. After install I
created directory that will be root for all (most?) of my repositories.
I have added the following snippet in httpd.conf (sanitized for obvious
reasons):
---------------------------------------------------------------
LoadModule ldap_module modules/util_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
LoadModule dav_svn_module "X:/SVN/httpd/mod_dav_svn.so"
LoadModule authz_svn_module "X:/SVN/httpd/mod_authz_svn.so"
<Location />
DAV svn
SVNParentPath X:/SVNRoot
AuthLDAPAuthoritative on
AuthType Basic
AuthLDAPBindDN cn=DirectoryBrowserUser,dc=company,dc=loc
AuthLDAPBindPassword verysecretpassword
AuthLDAPUrl
"ldaps://company.loc/dc=company,dc=loc?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "SVN Source Code"
Require valid-user
Require group cn=Domain Users,ou=Users,dc=company,dc=loc
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require group cn=Programmers,ou=Users,dc=company,dc=loc
</LimitExcept>
</Location>
---------------------------------------------------------------
"X:/SVNRoot" is root directory for all SVN repositories.
"X:/SVN" is directory that SVN was installed in.
"AuthLDAPBindDN" is name of user that is used probably used to enumerate
accounts and check group membership of users trying to login. It has to
be domain username and you have to use LDAP notation when specifying it
1st "Require group" is used for blanket permission for all domain users
to browse code repository. Group name must be in LDAP notation.
"LimitExcept" section is used to add exceptions to blanket rule. In my
case I have added 2nd "Require group" statement that enables members of
Programmers group to have full DAV access to all repositories.
Other than that, I have used SSL to hide passwords that are transmited
on the network. Password for AuthLDAPBindDN user is in clear text which
is obviously a security risk. In my case I have mitigated it with moving
this user from default "Domain Users" group to "Domain Guests" group
which in combination with no local (console, file share, RDP, ...)
access to server for non-SVN-Administrators who already know the
password probably suffices.
I make no guarantees of validity or security of this setup, but I can
say that 'It Just Works(TM)' for me, so yes: it is possible to have
Windows only setup for SVN.
Greets, Toshio.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Dec 10 19:35:13 2004