There are a few different ways to integrate Windows Active Directory (Domain) authentication with SVN. Specifically the two that seemed most promising were LDAP and SSPI, with SSPI looking the most straightforward, so that is the one that I will outline here.
Include dependent modules
First we need to include the apache modules we’ll be using.
1. Add to the “httpdmodules” directory, the following files:
2. Add to the “httpdconfhttpd.conf” file, the following lines:
- LoadModule sspi_auth_module modules/mod_auth_sspi.so
- LoadModule authz_svn_module modules/mod_authz_svn.so
Create svn access file
In the “httpdconf”directory, create a new file called “svnaccess.conf”
Using active directory (windows domain) groups will be discussed later.
Add something similar to the following to this file:
[groups] engineers = MYDOMAINbob, MYDOMAINpatty, MYDOMAINsteve temps = MYDOMAINjulie, MYDOMAINgeorge [/] @engineers = rw @temps = r [/customer1/internal_work] @temps = rw
Note that you can set different permissions for different groups or individuals at any folder level. Permissions will apply to subdirectories unless a more specific assignment is made. For instance, the @temps group has read (“r”) access to everything but has read-write (“rw”) access to the /customer1/internal_work directory.
Modify “Location” tag in httpd.conf file
In the “httpd/conf/httpd.conf” file, modify the Location tag to look similar to the following:
<Location /repos> DAV svn SVNPath c:svn_repository AuthName "Subversion Authentication" AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOfferBasic On SSPIDomain MYDOMAIN require valid-user AuthzSVNAccessFile "conf/svnaccess.conf" </Location>
That tells this specific location/repository to use our SSPI authentication with the domain “MYDOMAIN”. The “require valid-user” makes sure they are authenticated with a user (any user) in the domain, and then the AuthzSVNAccessFile “conf/svnaccess.conf” says that the remaining authorization rules will be defined in the svnaccess.conf we setup earlier.
Using Active Directory (Windows Domain) Groups
I did quite a bit of searching around to find out how to use existing Active Directory (Windows Domain) groups in the svn access file. The best I could find was: http://www.thoughtspark.org/node/26 where they create a custom python script that is periodically run, which queries the Active directory and then modifies the svnaccess.conf file to add the group information. This is definitely a hack approach, but the best solution I could find.
The following links were the most helpful in figuring all this out.