Monthly Archives: October 2009

Active Directory (Windows Domain) Authentication with Subversion (SVN)

There are a few different ways to integrate Windows Active Directory (Domain) authentication with SVN. Specifically the two that seemed most promising were LDAP and SSPI, with SSPI looking the most straightforward, so that is the one that I will outline here.

Include dependent modules
First we need to include the apache modules we’ll be using.

1. Add to the “httpdmodules” directory, the following files:

  • mod_auth_sspi.so
  • mod_authz_svn.so

2. Add to the “httpdconfhttpd.conf” file, the following lines:

  • LoadModule sspi_auth_module modules/mod_auth_sspi.so
  • LoadModule authz_svn_module modules/mod_authz_svn.so

Create svn access file
In the “httpdconf”directory, create a new file called “svnaccess.conf”

Using active directory (windows domain) groups will be discussed later.

Add something similar to the following to this file:

[groups]
engineers = MYDOMAINbob, MYDOMAINpatty, MYDOMAINsteve
temps = MYDOMAINjulie, MYDOMAINgeorge

[/]
@engineers = rw
@temps = r

[/customer1/internal_work]
@temps = rw

Note that you can set different permissions for different groups or individuals at any folder level. Permissions will apply to subdirectories unless a more specific assignment is made. For instance, the @temps group has read (“r”) access to everything but has read-write (“rw”) access to the /customer1/internal_work directory.

Modify “Location” tag in httpd.conf file

In the “httpd/conf/httpd.conf” file, modify the Location tag to look similar to the following:

<Location /repos>
	DAV svn
	SVNPath c:svn_repository

	AuthName "Subversion Authentication"
	AuthType SSPI
	SSPIAuth On
	SSPIAuthoritative On
	SSPIOfferBasic On
	SSPIDomain MYDOMAIN
	require valid-user

	AuthzSVNAccessFile "conf/svnaccess.conf"
</Location>

That tells this specific location/repository to use our SSPI authentication with the domain “MYDOMAIN”. The “require valid-user” makes sure they are authenticated with a user (any user) in the domain, and then the AuthzSVNAccessFile “conf/svnaccess.conf” says that the remaining authorization rules will be defined in the svnaccess.conf we setup earlier.

Using Active Directory (Windows Domain) Groups

I did quite a bit of searching around to find out how to use existing Active Directory (Windows Domain) groups in the svn access file. The best I could find was: http://www.thoughtspark.org/node/26 where they create a custom python script that is periodically run, which queries the Active directory and then modifies the svnaccess.conf file to add the group information. This is definitely a hack approach, but the best solution I could find.

Helpful links
The following links were the most helpful in figuring all this out.

http://geekswithblogs.net/flanakin/archive/2005/08/31/51743.aspx
http://blog.michaelcheng.idv.hk/2006/10/windows-domain-authentication-with.html
http://www.subversionary.org/sspidomainauth
http://www.thoughtspark.org/node/26
http://blogs.open.collab.net/svn/2009/03/subversion-with-apache-and-ldap-updated.html