At work we needed a new source control system and we decided to use Subversion. This blog will give details about the installation of how to use Apache (with SSL connection) to control subversion. Access to the subversion repository is done with LDAP connected to an Active Directory
Unbuntu installation
I used the ubuntu 8.0.4 desktop version. Installation with the wizard is straight forward and therefore not discussed. The hostname in this example is: jdk-svn . After installation of Ubuntu I checked for new package update (sudo apt-get update and sudo apt-get upgrade).
Installation of Apache
To install apache2 you need to install the apache2 package
sudo apt-get install apache2
Besides the package apache2 also the packages apache2-mpm-worker, apache2-utils, apache2.2-common, libapr1, libaprutil1 and libpq5 are installed
After installation you can check if the Apache webserver is running by pointing your browser to the http://jdk-svn location (from the server also http://localhost will work). When the server is running a webpage will be served with the simple textmessage It Works
Installation SSL
For authentication we don’t want to send plain text on the network. SSL need to be installed to support secure connections. SSL needs the packages openssl and ssl-cert which are installed by default with the Ubuntu 8.0.4 installation (otherwise use sudo apt-get install openssl and sudo apt-get install ssl-cert to install these packages)
A certificate is needed for SSL. I will use a self signed certificate which can be created with make-ssl-cert
Note: a lot of websites are talking about the script apache2-ssl-certificate to make a certificate. The problem is that for some reason this script is not anymore part of the apache2 package. There are ways to extract the script from other apache2 packages but I found it easier to create a certificate with make-ssl-cert
Note 2: make-ssl-cert generated a certificate which is by default expired after 30 days. After 30 days it can still be used but it will give another warning inside the browser. Does somebody know how to generate a certificate which expires after 365 days (which I though is the maximum days)?
sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/localhost.pem
When using make-ssl-cert some question will be asked by the script which need to be answered for the generation of the certicate:
- Country Name
- State or Province Name
- Locality Name
- Organisation Name
- Organisation Unit Name
- Host name: jdk-svn
- Emailaddress
The apache website configuration should be changed to make use of SSL and the certificate. Apache can have multiple website configuration (stored inside /etc/apache2/sites-available). A site is accessable (enabled) when it is inside the etc/apache2/sites-enabled directory. This, enabling a site, can be done with the a2ensite tool. With a2dissite, a site can be disabled.
The default website configuration (created by default serving the It works website) will be used for the new SSL configuration
cd /etc/apache2/sites-available sudo cp default ssl
Edit the ssl configuration with your favorite texteditor (for example gedit: sudo gedit ssl). Make the following changes (port 443 is the port number used for https)
NameVirtualHost * -> NameVirtualHost *:443 <VirtualHost *> -> <VirtualHost *:443>
Add (between <VirtualHost> tags. For example directly below ServerAdmin):
SSLEngine On SSLCertificateFile /etc/ssl/private/localhost.pem
The ssl website should be enabled. Besides enabling the website also the apache ssl module should be enabled (which can be done with the a2enmod script)
sudo a2ensite ssl sudo a2enmod ssl
Note 3: I only want to use the server for SVN access. Therefore I want to disable the website running on port 80. Use sudo a2dissite default to disable the website at port 80.
After creating the ssl configuration and enabling the website, Apache should be restarted
sudo /etc/init.d/apache2 restart
Note 4: when (re)starting Apache I got an error that the server name could not be determined. I fixed this by adding the ServerName to the httpd.conf. Open the httpd.conf file (sudo gedit /etc/apache2/httpd.conf), this file is empty by default, and add the line ServerName jdk-svn
After restarting Apache the ssl website should be accessable by pointing your webbrowser to https://jdk-svn (or from the machine: https://localhost). The same It works! website will be served (because we did not changed what will be served inside the ssl configuration). When you disabled the default site, you will get a Not found website when requesting http://jdk-svn. By the way, the first time you will access the website which will make use of SSL, your browser will give some security exception about that the certificate cannot be verified. This is true because we created a self signed certificate. Make an exception for this website by allowing access to this website inside your browser configuration.
Installation of Subversion
Apache2 and SSL is running, it is time for Subversion. Install the subversion package:
sudo apt-get install subversion
After subversion is installed a subversion repository should be made. This repository will be accessible by Apache (SSL) with the use of LDAP for authentication and authorization. I created the subversion repository inside the /var directory
sudo mkdir /var/svn sudo mkdir /var/svn/myrepository
The repository will be called myrepository. Because users will add and modify files inside SVN by the use of Apache, the Apache user (www-data) should be the owner of the myrepository directory. If permissions are not set correctly, you will finish with a read only repository.
First set the ownership of the directory to the www-data user
sudo chown -R www-data /var/svn/myrepository
The www-data group (of which the user www-data is member of) should be set a ownership group of this directory
sudo chgrp -R www-data /var/svn/myrepository
It is important that when users are adding files to the repository, that these files have proper permissions set. Use the following command to do that
sudo chmod -R g+rws /var/svn/myrepository
Use svnadmin to make it a Subversion repository
sudo svnadmin create /var/svn/myrepository
Because svnadmin added directories and files to the myrepository folder which do not have the right group write access, it is important to repeat the chmod command
sudo chmod -R g+rws /var/svn/myrepository
The repository is now created. Let’s integrate it with Apache. We don’t use LDAP yet to see if the integration is working.
For Apache and Subversion integration, the libapache2-svn package is needed. Install this package
sudo apt-get install libapache2-svn
Change the ssl website configuration (sudo gedit /etc/apache2/sites-available) by adding the following part between the <VirtualHost> tags. For example just below the last </Directory> tag
<Location /repos> DAV svn SVNParentPath /var/svn SVNListparentPath on </Location>
The location /repos means that you can access the repositories by going to https://jdk-svn/repos from within your browser. You cahttp://www.johandekoning.nl/wp-admin/post.php?action=edit&post=84&message=4n change this if you prefer a different location. SVNParentPath /var/svn is the location where the repositories are stored on the local file system. With SVNListParentPath on you will get a website showing the different repositories when opening https://jdk-svn/repos. If you set this to off (or remove the line) you will get a Not Found error. In this situation you can access a repository by going directly to the repository location (http://jdk-svn/repos/myrepository).
Restart apache (sudo /etc/init.d/apache2 restart) to make the changes visible. When opening the url http://jdk-svn/repos inside your browser, you will get a list of repositories available (in this case only the myrepository)
LDAP integration
Apache and subversion are working together but everybody has access to it. LDAP will be used to only allow access to members of an Active Directory. By using LDAP we can centralize authorization/authentication and don’t have to configure access inside different configuration files.
For LDAP integration two apache modules should be enabled: ldap and authnz_ldap. Ldap will automatically been enabled when enabling the authnz_ldap module:
sudo a2enmod authnz_ldap
Note 5: I am using Microsoft Active Directory, which does not allow anonymous access for retrieving the members inside a Active Directory. To solve this I created a new Windows Account inside the Active Directory which does not have terminal access (cannot login on Windows Workstations). Problem with not having anonymous access (or a more limited account than disabling terminal access) the username and password should be set as plain text inside the ssl configuration. For know I think that is fine but off course I prefer a saver solution. Post your ideas by adding a comment to this blog item).
Edit the ssl configuration file (sudo gedit /var/apache2/sites-available)
... AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthName "jdk-svn" AuthUserFile /dev/null AuthLDAPURL "ldap://activedirectory.johandekoning.nl:3268/DC=johandekoning,DC=nl?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN "CN=<ldap_username>,CN=users,DC=johandekoning,DC=nl" AuthLDAPBindPassword <ldap_password> AuthLDAPGroupAttributeIsDN on AuthLDAPGroupAttribute member SSLRequireSSL Require valid-user
Make changes to this configuration file confirming your active directory installation (the AuthLDAPURL, AuthLDAPBindDN and the AUTHLDAPBindPassword)
Restart apache (sudo /etc/init.d/apache2 restart) and go to https://svn-jdk/repos with a webbrowser. A login dialog will be shown asking a username and password. Use a windows username and password of a user which is part of the active directory. When login is successfully you will see the repository list again.
Clean up apache ssl configuration
The ssl configuration created still contains configuration which is not needed when you only want to use apache for subversion integration. For example the It works website is still served when opening https://jdk-svn. Clean up the ssl configuration (sudo gedit /etc/apache2/sites-available/ssl) by removing the following parts:
DocumentRoot /var/www/
<Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www> ... </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> ... </Directory>
And remove the part
Alias /doc "/usr/share/doc/" <Directory "/usr/share/doc/"> ... </Directory>
Restart apache (sudo /etc/init.d/apache2 restart) and check that the It works site is not served anymore (https://jdk-svn will give back a Not found message)
What’s next?
You finished the installation and configuration of Apache, SSL, Subversion and LDAP integration. You can now use your favorite Subversion applications to modify the content of the repository.
The LDAP integration gives users access to Subversion which are inside the Active Directory. I am still searching for solutions to make more use of the Active Directory and LDAP mechanism. For example defining inside Active Directory the access to repositories for each user (and not inside Apache configuration files because I want to keep these settings centralized). If you have any idea how to define this within Active Directory, please post it as a comment. Besides accessing repositories you can also think about read-only access.
The SSL configuration
To summarize the changes made to the ssl configuration, the final ssl configuration file is added:
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin [email protected]
SSLEngine On
SSLCertificateFile /etc/ssl/private/localhost.pem
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
<Location /repos>
DAV svn
SVNParentPath /var/svn
SVNListparentPath on
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthName "jdk-svn"
AuthUserFile /dev/null
AuthLDAPURL "ldap://activedirectory.johandekoning.nl:3268/DC=johandekoning,DC=nl?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=<ldap_username>,CN=users,DC=johandekoning,DC=nl"
AuthLDAPBindPassword <ldap_password>
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
SSLRequireSSL
Require valid-user
</Location>
</VirtualHost>