SVN – Authentication

subversion_logo_hor-468x64

SVN configuration with multi-authentications (2 Active Directory domains)

Here is an example of a vhost configuration for an SVN. It allows users to be authenticated with 2 different Active Directory domains.

#Authentication providers
<AuthnProviderAlias ldap firstone>
        AuthLDAPBindDN "CN=svn-generic,OU=Service Accounts,DC=firstone,DC=com"
        AuthLDAPBindPassword jtCCkWW6
        AuthLDAPURL ldap://dc01.firstone.com:3268/?sAMAccountName?sub?
</AuthnProviderAlias>

<AuthnProviderAlias ldap secondone>
        AuthLDAPBindDN "CN=svn-generic,OU=Service Accounts,DC=secondone,DC=com"
        AuthLDAPBindPassword xh3J1VZX
        AuthLDAPURL ldap://dc01.secondone.com:3268/?sAMAccountName?sub?
</AuthnProviderAlias>

# Subversion Repository
<Location /data/lib-repository>
        DAV svn
        SVNPath /opt/svn/repo
        AuthName "Welcome on the SVN server of Lib"
        AuthType Basic
        AuthBasicProvider firstone secondone
        AuthzLDAPAuthoritative off

        #Permissions
        AuthzSVNAccessFile /data/conf/lib-repository/svnaccess

        require valid-user
</Location>

First, we indicate the two providers which are connexion strings allowing the authentication af a generic account to check an AD and authenticate the users’ accounts. Then, we specified in each <Location> the two kinds of authentication in the variable named AuthBasicProvider.

It’s really important to put the AuthzLDAPAuthoritative variable to off: if an authentication at the first instance fails, the second will be checked. It will be the case of all the users available in the 2nd domain but not in the 1st.

 

SVN configuration with multi-authentications (1 Active Directory Domain and 1 htpasswd file)

Here we have a vhost configuration where users will be authenticated after an LDAP server OR after a file:

<Location "/">
        Dav svn
        SVNPath /data/lib-repository

        #Authentication
        AuthType Basic
        AuthName "Welcome on the SVN server of Lib"
        AuthBasicProvider file ldap

        AuthUserFile /data/conf/lib-repository/svn-htpasswd

        AuthzLDAPAuthoritative off
        AuthLDAPCompareDNOnServer on
        AuthLDAPURL ldap://dc01.domain.com:3268/DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)
        AuthLDAPBindDN svn-generic@domain.com
        AuthLDAPBindPassword gGuFY4gx

        #Permissions
        AuthzSVNAccessFile /data/conf/lib-repository/svnaccess

        Require valid-user
</Location>

In this case, the AuthBasicProvider variable has as value: file ldap. We provide here two kinds of authentication. After that, we provide the location of the htpasswd file which allow the authentication of users who are defined in it. Then, we must configure the connexion string to the AD domain.

We must put the AuthzLDAPAuthoritative varaible to off in order to not restrict the authentication to the sole AD domain.

Leave a Reply

Your email address will not be published. Required fields are marked *