Geek Answers Handbook

Anonymous SVN Checkout but Authenticate Commit

I am installing an SVN repository using Httpd. My repository is currently available via Httpd, but someone can check and pass back. I want to limit the commit action using Microsoft Active Directory authentication.

I use the following in my subversion.conf .

 <Location /repos> DAV svn # Directory containing all repository for this path SVNParentPath /srv/svn/repositories # List repositories colleciton SVNListParentPath On # Enable WebDAV automatic versioning SVNAutoversioning On # Repository Display Name SVNReposName "RepositoryName" # Do basic password authentication in the clear AuthType Basic # The name of the protected area or "realm" AuthName "RepositoryName" # Make LDAP the authentication mechanism AuthBasicProvider ldap # Make LDAP authentication is final AuthzLDAPAuthoritative off # Active Directory requires an authenticating DN to access records #AuthLDAPBindDN "ou=people,o=example,dc=com" # The LDAP query URL AuthLDAPURL "ldap://example.com:389/DC=com,DC=example,ou=people?uid(objectClass=*)" NONE # Read access to everyone Satisfy Any # Require a valid user Require valid-user # Authorization file AuthzSVNAccessFile /subversion/apache2/auth/repos.acl # Limit write permission to list of valid users. #<LimitExcept GET PROPFIND OPTIONS REPORT> # Require SSL connection for password protection. # SSLRequireSSL #AuthType Basic #AuthName "Authorization Realm" #AuthUserFile /etc/httpd/conf/.htpasswd #Require valid-user #</LimitExcept> </Location>

With the above configuration, it asks for credentials every time. In addition, the repository is not available when provided. I get a 500 Internal Server Error after providing the correct credentials.

I checked the log files, but there was nothing to indicate the actual reason.

+6
source share
5 answers

Ok I did the first part.

With a link to the 6. Access control lists section here , I added read-only access to the AuthzSVNAccessFile .

 # Authorization file AuthzSVNAccessFile /srv/svn/repos.acl

The contents of the file /srv/svn/repos.acl

 [/] * = r

Now all my repositories will be anonymously available. Now part of the fixation remains.

Now I get the following message when committed.

 Commit failed (details follow): Server sent unexpected return value (500 Internal Server Error) in response to MKACTIVITY request for '/repos/project1/!svn/act/783d45f7-ae05-134d-acb0-f36c007af59d'
+3
source

To allow public reading / checking, you need to uncomment the bit between the <LimitExcept> directive and comment out the separate Require valid-user above it.

The <LimitExcept GET PROPFIND OPTIONS REPORT> directive tells the server that everything inside this does not apply to any GET , PROPFIND , OPTIONS or REPORT requests in the repository that are used to check / read the repo, in other words, if you put this bit of code in its Apache configuration, it will only require a valid user for anything other than the methods mentioned (for example, it will be required for the correct user if the PUT request is made for commit)

 <LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept>

In your case, it should look something like this (I just changed your published configuration a bit, believing that it is correct, except for forced registration (I do not have an LDAP server to check it). Note for replacing example.com in your AuthLDAPURL on the server of the real server ):

 <Location /repos> DAV svn # Directory containing all repository for this path SVNParentPath /srv/svn/repositories # List repositories colleciton SVNListParentPath On # Enable WebDAV automatic versioning SVNAutoversioning On # Repository Display Name SVNReposName "RepositoryName" # Do basic password authentication in the clear AuthType Basic # The name of the protected area or "realm" AuthName "RepositoryName" # Make LDAP the authentication mechanism AuthBasicProvider ldap # Make LDAP authentication is final AuthzLDAPAuthoritative off # Active Directory requires an authenticating DN to access records #AuthLDAPBindDN "ou=people,o=example,dc=com" # The LDAP query URL AuthLDAPURL "ldap://example.com:389/DC=com,DC=example,ou=people?uid(objectClass=*)" NONE # Authorization file AuthzSVNAccessFile /subversion/apache2/auth/repos.acl # Limit write permission to list of valid users. <LimitExcept GET PROPFIND OPTIONS REPORT> SSLRequireSSL Require valid-user </LimitExcept> </Location>

As long as you put Require valid-user inside LimitExcept , everything should work the way you want it. The rest of the authentication configuration can be placed anywhere between the Location directive.

+6
source

Every Subversion server I've seen:

  • Allows anonymous verification without commit.
  • An authenticated check is required and allow commit.

I believe the Subversion commit process should be.

  • Get authentication data.
  • Authentication verification code.
  • Repeated change.
  • Commit changes.
+2
source

I suggest using Visual SVN Server . It supports Active Directory . Visual Svn Server installs apache and svn files. It also creates the necessary conf file for apache.

Install it using the necessary functions and check its apache configuration file. I also suggest using / buying it instead of supporting your Apache server if you can run it in a window window.

+2
source

Just some notes :

  • I have never seen SVNAutoversioning , which is used inside a Subversion location.
  • Reading the Apache error log may provide more details than the β€œ500 Error” in case of problems
  • I read here on SO some topics on CentOS Subversion issues related to the owner of the Apache process (some httpd processes have a different owner than others: nobody and httpd): check it with ps -au | grep ps -au | grep
  • Fixing problems are usually associated with insufficient permissions: the Apache process must have write permissions for all files in the repository
  • Last but not least: with a priority higher than pp. 3-4 - when using AuthzSVNAccessFile , at least one user group for at least one path must have write permissions ... = rw in order to commit, I do not know how to write the inherited AD user name in the repos.acl file
+2
source

More articles:


All Articles