I have created SVN host using:
<Location /svn>
DAV svn
SVNParentPath /home/xxx/xxx/xxx/xxx/Main_Folder/company-1
AuthType Basic
SVNListParentPath On
AuthName "Test"
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>`
Although I have specified user privileges in svnserve.conf, it does not seem to "take it" because I can access the repository (see below) without any prompt for user/password.
Can you please point what am I doing wrong?
Thanks!
Read the docs, it seems that you use a wrong configuration file.
Configuration settings in the file svnserve.conf do not have any effect in this particular case. Your server runs Apache and Apache does not process svnserve.conf. This configuration file is used by svnserve custom server only.
Related
Initially I have installed apache server 2.4 in windows server 2012 R2 and i have installed apache subversion 1.8.7 and i have copied module files(.so files) from subversion to apache server.I have created a repository. I have setup the "AuthUserFile" and "AuthzSVNAccessFile" I have given following code in httpd.conf
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
AuthType Basic
AuthName "Subversion Project1 repository"
AuthUserFile c:/etc/svn-auth-file
Require valid-user
AuthzSVNAccessFile c:/etc/svn-acl
</Location>
I have used tortoise svn client to connect to repository which i have successfully connected I have successfully created files,commit the files.
Later i want to setup authentication with the active directory I have added following code in http.conf file
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
SVNParentPath E:\svn_testing
SVNListparentPath on
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
#AuthzLDAPAuthoritative off
AuthName "Active_directory_integration"
AuthzSVNAccessFile C:\etc\svn-acl
AuthLDAPURL "ldap://***********(ip address):389/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
#this assumes you have created a dedicated bind user "apache_bind" on your active directory
AuthLDAPBindDN "CN=Administrator,CN=users,DC=*******,DC=com"
#warning: this password for AD apache_bind user is in plain text!
AuthLDAPBindPassword *************
#AuthLDAPFollowReferrals off
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
#SSLRequireSSL
require ldap-group OU=********,DC=********,DC=com
#require valid-user
</Location>
But when i try to restart the server apache server it is showing "The Requested operation has failed" I have checked the log files but there is nothing there
It seem you are trying to search the whole AD-Catalog, as you do not specify any OU. this is not supported by Windows AD. However the whole Catalog is available by using port 3268
Please try this:
AuthLDAPURL "ldap://***********(ip address):3268/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPGroupAttribute member
require ldap-group OU=********,DC=********,DC=com
Organizational Units (ou) dont have the attribute member, according to https://msdn.microsoft.com/en-us/library/ms683886(v=vs.85).aspx.
You should try the DN of the group you want to access your repo.
On my server this would look like this:
require ldap-group cn=thegroup,ou=groups,dc=example,dc=com
Notice the cn, which is a groupOfNames with the member attribute in my case.
I am trying to set up an SVN server on a Linux server, but I am facing the issue in setting up the server:
Below is the configuration I did:
<Location /svn>
DAV svn
SVNParentPath /home/subver/public_html/svn
AuthType Basic
AuthName "Subversion repositories"
AuthUserFile /etc/svn-auth-users
Require valid-user
</Location>
When I try to checkout from my local machine I am getting this error:
Redirect cycle detected for URL 'http:///svn'
Never place repositories physically under ordinary web-root - it's extremely bad and insecure and error-full idea
SVNParentPath /home/subver/public_html/svn + <Location /svn> is your problem. If public_html is web-root of "just Apache" (and it seems so) you have real subdirectory /svn, which you try to redefine with "virtual" Location under the same path and get permanent redirect between these two locations: real and virtual, as expected by any good Apache-admin
Move repositories outside web-space (YOU MUST DO IT), change SVNParentPath accordingly to new location.
Lame and lazy solution, source of future big headache - use another path, than /svn, for Location container
I set up SVN on Ubuntu using the tutorial How to set up a Subversion (SVN) server on GNU/Linux - Ubuntu, but when I try access the repository from other machine using CMD it says Access to /SVN is forbidden.
I changed the permission of the folder and tried other methods to resolve the issue like configuration of the Apache server, but that did not solve my problem.
How can I fix this problem?
Apache can read and write the repository, but its user (www-data) needs to be given ownership of it:
sudo chown -R www-data:www-data /var/svn/repositories/your_repo
To be able to authenticate users who access the repository a password file is needed:
sudo htpasswd -c /etc/subversion/passwd your_user_name
Enter a password for the user your_user_name. For additional users repeat the command without the -c option to make sure the existing file is appended to rather than replaced.
Then edit the Apache configuration file:
sudo gedit /etc/apache2/apache2.conf
Add the following to the end of the file:
#svn users
<Location /svn>
DAV svn
SVNParentPath /var/svn/repositories/
SVNListParentPath On
AuthType Basic
AuthName "Test"
AuthUserFile /etc/subversion/passwd
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
Save the configuration file and restart Apache:
sudo /etc/init.d/apache2 restart
The test repository can now be accessed via:
http://localhost/svn/your_repo
Make sure you have your virtual host set up like this for Apache:
<VirtualHost *:80>
DocumentRoot /home/svn/html
ServerName svn.domainname
ErrorLog logs/svn.domain.com-error_log
CustomLog logs/svn.domain.com-access_log common
<Directory "/home/svn/html">
Order allow,deny
Allow from all
AllowOverride all
</Directory>
<Location /repos>
DAV svn
SVNParentPath /home/svn/repos
Require valid-user
SVNListParentPath on
AuthType Basic
AuthName "Your Super SVN"
AuthUserFile /home/svn/svn-passwords-file-to-be-used-only-when-AuthType-is-used
AuthzSVNAccessFile /home/svn/svn-repos-acl-file-but-optional
</Location>
</VirtualHost>
And make sure Apache can access the repos folder mentioned in SVNParentPath. This issue is mostly because of permissions. Try chmod -R 0777 repos-folder and try again.
This might help someone if they are troubleshooting a setup that had previously been working. Today the new guy at our company inadvertently introduced a typo in the file used by AuthzSVNAccessFile and that caused all of us to experience the dreaded E175013
We are using a berkeley-db for authorisation of svn-access.
We have it configured like that:
<Location /svn>
AuthType basic
AuthName "svn Authentication"
AuthBasicProvider dbm
AuthDBMUserFile /****/userDatabase.db
AuthDBMType db
AuthDBMGroupFile /****/userDatabase.db
AuthzDBMType db
SSLRequireSSL
</Location>
Until here everything works fine and people gain access according to their respective groups. No I wanted / need to add some specific users to gain (read-only) access to one repository without changing their groups. I tried the following
<Location /svn/administration>
DAV svn
SVNPath /data/svn/administration
SVNPathAuthz off
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require group svn-admin-readwrite
</LimitExcept>
<Limit GET PROPFIND OPTIONS REPORT>
Require group svn-admin-read
Require user testUser testUser2
</Limit>
</Location>
The modules 'authn_dbm' and 'authz_user' are enabled. Anything (obvious) I am missing here? Any help is appreciated!
Anything (obvious) I am missing here?
Reading (and understanding) some parts of SVN Book, at least "Per-directory access control" (maybe full chapter "httpd, the Apache HTTP Server") and "Path-Based Authorization"
I see at least two weakness in current config
Without DAV svn+SVNParentPath in <Location /svn> container you must to have for N repositories N+1 Location containers and add|remove location for every added|removed repository. Subversion-way is to have single location for parent of repository-dirs
For example, if you know you will be creating multiple Subversion repositories in a directory /var/svn that would be accessed via URLs such as http://my.server.com/svn/repos1, http://my.server.com/svn/repos2, and so on, you could use the httpd.conf configuration syntax in the following example:
<Location /svn>
DAV svn
# Automatically map any "/svn/foo" URL to repository /var/svn/foo
SVNParentPath /var/svn
</Location>
Using this syntax, Apache will delegate the handling of all URLs whose path portions begin with /svn/ to the Subversion DAV provider, which will then assume that any items in the directory specified by the SVNParentPath directive are actually Subversion repositories. This is a particularly convenient syntax in that, unlike the use of the SVNPath directive, you don't have to restart Apache to add or remove hosted repositories.
Path-based ACLs for Subversion in Apache implemented (and used in 99% cases) with authz_svn_module and AuthzSVNAccessFile, in which user's and group's access rights (for any repository in tree or part of repo-tree) defined... and also group's membership, which makes AuthDBMGroupFile obsoleted (and Location without LimitExcept & Limit - more compact and readable)
I am setting up SVN on a Red Hat Linux machine. My scenario is that I have two projects in the same directory:
/var/www/svn/proj1
/var/www/svn/proj2
My subversion.conf has the following configurations:
<Location /svn/proj1>
DAV svn
SVNPath /var/www/svn/proj1
AuthzSVNAccessFile /etc/svn_proj1-acl-conf
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
Require valid-user
</Location>
<Location /svn/proj2/>
DAV svn
SVNParentPath /var/www/svn/proj2
SVNListParentPath on
AuthzSVNAccessFile /etc/svn_proj2-acl-conf
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
Require valid-user
</Location>
For project1 my URL http://www.example.com/svn/proj1 works pretty good, but for project2 I need to add trailing slash in the end of URL, http://www.example.com/svn/proj2/ or else it doesn't return with a user/password window.
If I remove the trailing slash from the location directive,
<Location /svn/proj2>
then it starts giving a 403 Forbidden error, no matter if I use a slash or not in the browser.
I am using it with TortoiseSVN, but project2 isn't working at all.
What should I look at in configurations?
Confused. Confused. Confused...
But, I'm easily confused...
You have two projects. The first one you use:
SVNPath /var/www/svn/proj1
and the second you use:
SVNParentPath /var/www/svn/proj2
Why is one SVNPath and the other SVNParentPath? There's a difference. You specify SVNPath when you refer to a particular repository. You use SVNParentPath when you refer to a directory that contains multiple repositories.
So, exactly what is your setup? I have a feeling that they both should be SVNPath.
By the way, I notice you have the same user list, but separate AuthzSVNAccessFile access files. Are you merely stopping people from committing, or are you preventing people from reading particular files and directories?
Normal practice is to allow users to see all files, but to prevent commit access. In that case, you may want to do that outside of Apache httpd, using my pre-commit hook. This allows you to do two things:
Turn off directory checking access which speeds up Subversion.
Change commit permissions without restarting Apache httpd.
You can then configure both directories in a single configuration:
<Location /svn>
DAV svn
SVNParentPath /var/www/svn
SVNListParentPath on
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
SVNPathAuthz off
Require valid-user
</Location>
Of course, if you're using AuthzPath to prevent read access, you have to use the AuthzSVNAccessFile parameter. But, it makes things more complex, and it slows you down. I usually recommend against it unless users aren't suppose to be able to peek at each other repos (which is quite rare).
And, one more thing... Do your users have LDAP or Windows Active Directory accounts? If so, you can use that to determine Subversion repository access:
LoadModule authnz_ldap_module modules/authnz_ldap.so
<Location /svn>
DAV svn
SVNParentPath /var/www/svn
SVNListParentPath on
AuthType basic
AuthName "Subversion Repository"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://windomain.mycorp.com:3268/dc=mycorp,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=svn_user,OU=Users,DC=mycorp,DC=com"
AuthLDAPBindPassword "swordfish"
Require ldap-group CN=developers,CN=Users,DC=mycorp,DC=com
</Location>
This way, if a user has a Windows account (or is in your LDAP database), and that user is in the developers group, they automatically have access to your Subversion repositories (note the SVNParentPath for both repos and any future ones). This way, you're not constantly adding and subtracting users out of your SVN AUthorization file. Plus, you're not constantly retrieving forgotten passwords.
Now, that's all your Windows administrator's responsibility. It's magic. I made your task their job. User doesn't have Subversion access? No longer your problem. More time to play Angry Birds.
One more tiny thing: I have a feeling you don't want to place your repository under /var/www for the simple reason that might be your document root. If you're not careful, you might be granting direct access to your Subversion repository directory.
You're better off putting them elsewhere and changing the SVNParentPath.
The Location and SVNParentPath directive should have the same trailing slash rule: either with or without.
So it should be:
<Location /svn/proj2/> <--- Here trailing slash (or not)
[..]
SVNPath /var/www/svn/proj2/ <--- Here same like Location
[...]
</Location>