Platform: Windows Server 2008 R2
Apache 2.2.23 (win32)/SSL 1.0.0j upgrading to Apache 2.4.23 (win32)/SSL 1.0.2h
CollabNet Subversion Client SVNServe 1.7.8
Trac 1.0.9 (win32)
Python 2.7.1
On a Windows server, I had Subversion and Trac interacting nicely when running Apache 2.2.23, Subversion 1.7.8 with Trac 1.0.9 and the mod_python module. Access to Trac projects was permitted based on access control groups defined in the subversion access control file. The setting of the AuthzSVNAccessFile variable in the httpd.conf file pointed to the subversion access control file, e:/etc/.svnaccess. If the user had access to a subversion repo, then they had access to the associated Trac project, otherwise access was denied.
The httpd.conf file contained the following:
<Location /trac>
SVNParentPath e:/svn_repository
AuthzSVNAccessFile "E:/etc/.svnaccess"
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnvParentDir e:\trac
PythonOption TracUriRoot /trac
AuthType SSPI
SSPIAuth On
SSPIOfferSSPI Off
SSPIAuthoritative On
SSPIDomain <domaincontroller>
SSPIOmitDomain Off
SSPIUsernameCase lower
SSPIPerRequestAuth On
SSPIOfferBasic On
AuthName "UTAS TRAC Login (Use domain\userid format)"
Require valid-user
</Location>
I then had to upgrade Apache/SSL to 2.4.23, 1.0.2h. With this upgrade, mod_python was obsoleted so I had to switch to use mod_wsgi load module. I added in the mod_wsgi.so load module and modified the config file to remove the Python-related settings (keeping the AuthzSVNAccessFile setting), and adding in mod_wsgi info.
After the Apache upgrade, the httpd.conf file contained:
<Location /trac>
SVNParentPath e:/svn_repository
AuthzSVNAccessFile "E:/etc/.svnaccess"
AuthType SSPI
SSPIAuth On
SSPIOfferSSPI Off
SSPIAuthoritative On
SSPIDomain <domaincontroller>
SSPIOmitDomain Off
SSPIUsernameCase lower
SSPIPerRequestAuth On
SSPIOfferBasic On
AuthName "UTAS TRAC Login (Use domain\userid format)"
Require valid-user
</Location>
WSGIScriptAlias /trac e:/trac/trac.wsgi
<Directory "e:/trac">
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
The e:/trac/trac.wsgi has the following in it:
import os
import trac.web.main
import site
site.addsitedir('e:\Python\Lib\site-packages')
os.environ['PYTHON_EGG_CACHE'] = r'c:\Trac-Python-Egg-Cache'
def application(environ, start_response):
environ['trac.env_parent_dir'] = r'e:\trac'
return trac.web.main.dispatch_request(environ, start_response)
The trac.ini file (for Beth_test project) has these critical sections, same as before the Apache upgrade:
[components]
tracopt.versioncontrol.svn.* = enabled
tracstats.* = enabled
[repositories]
Beth_test.dir = e:\svn_repository\Beth_test
Beth_test.description = This is the ‘Beth_test’ project repository on the Test svn server.
Beth_test.type = svn
Beth_test.url = https://<my_server>/svn/Beth_test
Beth_test.hidden = true
tsvn = tsvn: Interact with TortoiseSvn
[trac]
authz_file = E:\etc\.svnaccess
permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
permission_store = DefaultPermissionStore
repository_dir = e:\svn_repository\Beth_test
repository_type = svn
…plus a bunch of other settings
My directory structure on the server is:
E:\svn_repository\
Beth_test
SVN_test
E:\trac\
Beth_test
SVN_test
When I bring up the Trac url after entering my active directory credentials, I see the 2 Trac projects listed. However when I click on a project, it gives me access to it even though I have not added my id to the access control group associated with the subversion Beth_test repo. With TortoiseSVN I am properly blocked, but with Trac using the mod_wsgi module, I can (erroneously) access the Trac project and subsequently browse the subversion source.
There is nothing useful in the Apache or Trac log files.
Any idea why Trac no longer follows the subversion access control permissions after upgrading Apache and switching from mod_python to mod_wsgi?
I had been playing with the svn access control file, and my id was in the admin group. The admin group had r/w access to the top-level slash (/) directory. Consequently, my id had access to all repositories since I did not remove permissions in each repo for the admin group. Once I removed my id from the admin directory, both svn and trac followed the repo's groups defined access.
Related
I am trying to Setup Server dictated configurations on my Subversion repository which is served by an Apache 2.4 server.
Based on the information I found one has to alter the SVN configuration file on the server but which one is used by the mod_dav_svn module of the Apache Server?
I already tried different ones (Admin, Public) but none worked.
Does anybody know which configuration file is used by this module?
Thanks,
Thomas
As I know the SVN config file is the user and not to the server. The only things you have to do is give apache user write permission on svn repo and config the apache.
Here is a example of apache config file, repo available at http://mysserver/SVN_REPO1
LoadModule dav_svn_module modules/mod_dav_svn.so
<IfModule mod_dav_svn.c>
Alias /SVN_REPO "/PATH_TO/SVN_REPO"
<Location /SVN_REPO1>
DAV svn
SVNPath "/PATH_TO/SVN_REPO"
SVNPathAuthz Off # More faster but don't check permission permission in all parenth path ( - security)
AuthzSVNAccessFile "/path_to_/authz"
require valid-user
Satisfy Any
Options MultiViews
Require all granted
</Location>
I have created SVN host using:
<Location /svn>
DAV svn
SVNParentPath /home/xxx/xxx/xxx/xxx/Main_Folder/company-1
AuthType Basic
SVNListParentPath On
AuthName "Test"
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>`
Although I have specified user privileges in svnserve.conf, it does not seem to "take it" because I can access the repository (see below) without any prompt for user/password.
Can you please point what am I doing wrong?
Thanks!
Read the docs, it seems that you use a wrong configuration file.
Configuration settings in the file svnserve.conf do not have any effect in this particular case. Your server runs Apache and Apache does not process svnserve.conf. This configuration file is used by svnserve custom server only.
I have an Apache server with a Document Root pointing to a location on Linux file system. The directory structure is read-only right now, but I need to provide a way for specific users to either directly delete files or mark files to be deleted (where some automated process can run after words and deleted the files that have been marked as so).
The users don't have ssh access to the box and I need them to be able to do this through the web directory listing.
I should mention all this is happening behind a firewall, so disregard any security risks in your response.
What you're really asking is either:
some file-manager web-app
WebDAV
For filemanager there are myriads of alternatives (for example: eXplorer, phpFileManager
For WebDAV - you need to enable DAV module :
DavLockDB /usr/local/apache2/var/DavLock
<Location /foo>
Order Allow,Deny
Allow from all
Dav On
AuthType Basic
AuthName DAV
AuthUserFile user.passwd
<LimitExcept GET OPTIONS>
Require user admin
</LimitExcept>
</Location>
then use webdav software (Windows calls it web folders AFAIR, Mac and Linux have decent native support as well).
We're setting up Subversion version control in Dreamweaver CS4 and we'd like to transmit our files over SSL. We have it working without SSL. But, when we select HTTPS as the protocol, it's unable to connect. https://thedevserver.edu, DW fails to connect.
Has anyone gotten this to work? Is there something on the Apache or Subversion sides that we're missing?
We have an SVN configuration include file with the following contents:
LoadModule dav_svn_module modules/mod_dav_svn.so
<Location /repos>
DAV svn
SVNParentPath /folder/folder1/SVN_REPOS_folder
SVNListParentPath on
SSLRequireSSL
AuthType Digest
AuthName webdav
AuthDigestDomain /repos
AuthUserFile /some/where/on/the/server
AuthDigestProvider file
Require valid-user
</Location>
I've Included this file in the virtual host file. But, still, DW can't connect using HTTPS.
If you can connect to http repo, but can't to https: this is obviously Apache part - it must support secure connection for used for repository virtualhost or server.
Subversion (mod_dav_svn) in this case work over base httpd-engine
We have a Perl app which runs under Apache on Solaris using CGI::Application. That's all running fine. We'd like to get access to the USER_ID variable passed by the IE browser, and do some Database queries and LDAP queries.
I've looked at the Apache documentation and I can't figure out how to achieve this. We don't have internet access (it's an intranet) from the solaris servers so we need to compile everything ourselves.
Does anyone have a check list (or tutorial) of what Apache needs (modules/plugins) in order to achieve this, and how it should be configured?
NTLM Winbind
I use the module auth_ntlm_winbind_module (mod_auth_ntlm_winbind.so) on our server. You need to have Samba and winbind installed, properly configured and running.
You can download the module from the Samba project tree:
git clone git://git.samba.org/jerry/mod_auth_ntlm_winbind.git
In order to authenticate users via NTLM you have to add the following directives to your directory settings:
<Directory /srv/http>
Allow from all
AuthName "NTLM Authentication thingy"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
AllowOverride all
</Directory>
Of course you need to load the module, too:
LoadModule auth_ntlm_winbind_module /usr/lib/httpd/modules/mod_auth_ntlm_winbind.so
The Windows user account is passed to the application as the REMOTE_USER:
#!/usr/bin/perl
use CGI;
my $query = new CGI;
# get the windows account from the header
my $windows_account = $query->remote_user();
Note that IE only sends the user authentication data to trusted sites.
Here's a website with a bit more info on the module.
Direct Authentication via LDAP
Another method is to use the module authnz_ldap_module (mod_authnz_ldap.so). This is probably loaded by default already. Note that this is not true Single signon as the user is prompted for a password.
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Add this to your directory definition:
<Directory /srv/http>
AuthName "Authentication required"
AuthType Basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
# "protocol://hostname:port/base?attribute?scope?filter" NONE
# NONE indicates that an unsecure connection should be used for LDAP, i.e. port 389
AuthLDAPURL "ldap://your.ldap.server.net:389/OU=the,OU=search,OU=node,DC=domain,DC=net?sAMAccountName?sub?(objectClass=*)" NONE
# This is only needed if your LDAP server doesn't allow anonymous binds
AuthLDAPBindDN "CN=AD Bind User,OU=the,OU=bind,OU=node,DC=domain,DC=net"
AuthLDAPBindPassword super-secret
Require valid-user
AllowOverride all
</Directory>
More info about the module.
There are mod_ntlm and mod_ldap plugins for apache which you can use to authenticate.
In your case, i'd assume that you actually do want to use mod_ntlm and ldap or "active directory" is only its backend?
Here's on tutorial that covers the setting up phase: http://sivel.net/2007/05/sso-apache-ad-1/
Compilation phase in the tutorial is aimed for rpm based linux platform though but twiki has some more info about compiling for solaris10 here: http://twiki.org/cgi-bin/view/Codev/NtlmForSolaris10#How_to_build_your_own_mod_ntlm_b