[TOC]
Host is **svn.example.com**. There are basically two ways of serving up
a subversion repository. One uses `svnserve`, a lightweight server
(default port 3690). The other is leveraging Apache (`httpd`) via the
WebDAV protocol.
The latter is more complex. But it is extremely flexible in terms of
administration and is the basis for this setup guide. I will be setting
up a single repository at `https://svn.example.com/repository` with SSL,
LDAP-based authentication, and project-specific access control.
Installation
------------
### Getting the RPM
I'm putting the SVN root in /home/svn as well. This can be anywhere.
yum install subversion mod_dav_svn
This will install Apache and other dependencies as well.
service httpd start
chkconfig --level 345 httpd on
Make sure it's working, and that `iptables` is not causing any issues.
You can use `nmap` for this purpose or just go to
.
### Preparing `subversion.conf`
Installing the packages will create a new apache configuration directive
in `/etc/httpd/conf.d` called `subversion.conf`. You need to edit this
file to set up the location of the repository.
First uncomment these files if they've not been uncommented:
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
Define the SVN root:
DAV svn
SVNPath /home/svn/repository
Now you can add simple authentication or use LDAP.
Configuration
-------------
### Simple Authentication
This uses basic `htpasswd` based authentication. Passwords may be sent
in the clear if you don't enable SSL. You can also use digest-based
authentication which is slightly more secure.
For this scheme, our `/etc/httpd/conf.d/subversion.conf` file will have
the following directive:
DAV svn
SVNPath /home/svn/repository
# Simple authentication
AuthType Basic
AuthName "SVN Server"
AuthUserFile /home/svn/basic-authentication
Require valid-user
Here, we use /home/svn/authorized-users to authenticate. Create this
file and add a user with:
[root@svn ~]# htpasswd -cm /home/svn/authorized-users testuser
New password:
Re-type new password:
Adding password for user testuser
### Setting up the repository
svnadmin create /home/svn/repository
Make absolutely sure that Apache owns this directory and its
descendants!
chown -R apache:apache /home/svn/repository
### Testing the Configuration
At this point, you should have a repo accessible via Apache, with
password sent in clear text (we'll change that). I went to
`http://svn.example.com` and saw the image to the right after entering
my credentials for testuser.
Excellent! Test it now! I tested this config with Eclipse (with the
Subclipse plugin.)
### Securing with SSL
To secure stuff with SSL, generate or use a certificate and enable
Apache with `mod_ssl`. Change `subversion.conf` so that all traffic on
port 80 is redirected to port 443 (which uses the certs we've created.)
ServerName svn.example.com
RewriteEngine On
RewriteRule .* https://svn.example.com%{REQUEST_URI} [L,R=301]
Restart `httpd` and you're good to go!
### LDAP integration
In this example, I will be using **directory.example.com** as the (Open
Directory-based) LDAP provider. Change the basic authentication scheme
to match this:
# # If using some CA file
# LDAPTrustedMode NONE
# LDAPTrustedGlobalCert CA_DER /etc/pki/tls/certs/root_ca.crt
# LDAPVerifyServerCert off
# Define the repository location
DAV svn
SVNPath /home/svn/repository
# Integrate with LDAP server
AuthType Basic
AuthBasicProvider ldap
AuthName "SVN Server"
AuthzLDAPAuthoritative off
AuthLDAPURL "(ldap://directory.example.com/cn=users,dc=directory,dc=example,dc=com?uid?sub)?(objectClass=*)"
Require valid-user
AuthzSVNAccessFile /home/svn/repository/conf/authz
**It is important** that you set `AuthBasicProvider ldap`. If not,
Apache will look for a password file and not even bother to authenticate
against your LDAP server. You'll also see something like this when
restarting the `httpd` daemon:
Invalid command 'AuthLDAPAuthoritative', perhaps misspelled or defined by a module not included in the server configuration
I had terrible luck with setting `AuthzLDAPAuthoritative` to "on". You
can read the Apache `mod_authnz_ldap` page for more information on these
directives. They're quite flexible when configuring multiple
repositories, with respect to user and group access.
Now that you have a single repository, you can fine tune access with the
`AuthzSVNAccessFile` directive. By default, and when you use
`svnadmin create`, you get an `authz` file in your repository's `conf`
folder. In the Apache configuration above, it's the file I've used to
tweak folder access.
Project Management within a Repository
--------------------------------------
### Creating a project
This is very simple. It's vitally important that your project folder
contains three sub-folders: **trunk**, **branches** and **tags**. All
the code you want to check into the repository must be in **trunk**.
#### Step 1: Create the required directory structure
mkdir -p /tmp/newproject/{trunk,branches,tags}
#### Step 2: Copy/move project files into `trunk`
cp -R /path/to/project/files/* /tmp/newproject/trunk/
#### Step 3: Perform the first commit
cd /tmp
svn import newproject https://svn.example.com/repository/myproject --message "Initial import" --username myuser
Observe that my project is called `newproject` on my local machine but
is `myproject` on the SVN server. You may or may not choose to do this,
but the option is available.
You may get a dialog about the certificate used to secure the
transaction. Accept the key permanently. You will then be required to
supply a password.
#### Step 4: Working with your project
Most typical CVS actions should apply (prefixed with an `svn` of
course.) For example, to check out the project created above.
svn checkout https://username@svn.example.com/repository/myproject
The Google teems with SVN cheatsheets.
### Modifying Access Control
**Important**: Only root can do this. Talk to your friendly sysadmin for
project-specific access control. By default, your newly created project
will be world accessible (i.e. to *all authenticated* users.)
Here's an example where I created a folder for a rather sinister project
called `thiswillendpoorly` and have given write access only to user
`nanand` and read access to `machrist`. *The leading slash is
important!*
# Deny world access to repository root (noone needs to get a project listing)
[/]
* =
# Allow only Nikhil and Mark to access this terrible project (Mark can only read)
[/thiswillendpoorly]
nanand = rw
machrist = r
* =
If you had multiple repositories, you would need to:
* Change the Apache directive `SVNPath` to `SVNParentPath`
* Specify the repository in the `authz` file
Here's an example:
[repository1:/path]
user1 = rw
user2 = r
[repository2:/path]
* = rw
If you specified a path without specifying the repository, the filter is
applied across *all* repositories! This [is explained
here](http://svnbook.red-bean.com/en/1.0/svn-book.html#svn-ch-6-sect-4.4.2).
Miscellaneous
-------------
### Special note about LDAP groups
You cannot do LDAP group-based authentication in SVN with the `authz`
file. However, I've seen [a python
script](http://www.thoughtspark.org/node/26) which can import LDAP
groups.
### Few pointers on multiple repository configuration
* If you plan on hosting multiple repositories, you need to change
`SVNPath` to "SVNParentPath".
* *Apache will NOT allow you to access the root defined as
`SVNParentPath`!* You need to create repositories using
`svnadmin create` and can then access them through
`http://svn.example.com/{path in SVNParentPath}/{name of repository}`.
There's [more information in the official handbook about
this](http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.basic).
### Configuring for use with Self-Signed Certificates
Assuming that your Root CA is called **`root_ca.crt`**. Create and edit
`/etc/sysconfig/servers` to add the following:
[global]
ssl-authority-files = /etc/pki/tls/certs/root_ca.crt
The other option is to use the system-wide keystore at
`/etc/pki/tls/certs/ca-bundle.crt` by appending the ASCII version to the
end of this file.
Resources
---------
* [mod\_authnz\_ldap directives - Apache page](http://httpd.apache.org/docs/2.1/mod/mod_authnz_ldap.html)
* [Subversion on CentOS (Wiki)](http://wiki.centos.org/HowTos/Subversion)
* [Single or multiple repositories?](http://stackoverflow.com/questions/252459/one-svn-repository-or-many/252717#252717)
* [Version Control with Subversion](http://svnbook.red-bean.com/)
* [SubVersion with Apache and LDAP integration](http://blogs.open.collab.net/svn/2009/03/subversion-with-apache-and-ldap-updated.html)
* [Per-directory access control in SVN](http://svnbook.red-bean.com/en/1.0/svn-book.html#svn-ch-6-sect-4.4.2)
### Active Directory Integration
* [Apache and Subversion authentication with Microsoft Active Directory](http://www.jejik.com/articles/2007/06/apache_and_subversion_authentication_with_microsoft_active_directory/)
* [mod\_auth\_kerb and mod\_authnz\_ldap bring Apache web apps into the Enterprise](http://www.wadewoolwine.com/2009/01/28/mod_auth_kerb-and-mod_authnz_ldap-bring-apache-web-apps-into-the-enterprise/)
* [Apache 2.2 – authnz\_ldap – Active Directory](http://michele.pupazzo.org/diary/?p=227)