I have an apache based subversion server that hosts multiple repositories that has been working just fine using Location stanza's that make use of Limit and LimitExcept sections as shown below:
<Location "/svn/IAM/">
<Limit GET PROPFIND OPTIONS REPORT>
Require ldap-group CN=LDAP_ReadOnly
</Limit>
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require ldap-group CN=LDAP_ReadWrite
</LimitExcept>
</Location>
Based on this, accounts that are in LDAP_ReadOnly are able to read the entire repo, and accounts that are in LDAP_ReadWrite are able read and write to the entire repo.
Along comes the need to grant group LDAP_LimitedRead Read access to "/svn/IAM/Trunk/Project1 AND no access to /svn/IAM/Trunk/Project1/one.properties and also no access to /svn/IAM/Trunk/Project2 and so on.
I have tried the following with SVNParentPath, and SVNPath
<Location "/svn/IAM/Trunk/Project1/">
Dav svn
SVNParentPath /svn/repos/IAM/Trunk/Project1
AuthzSVNAccessFile IAM.svnAuth
</Location>
with the following in the IAM.svnAuth file
[IAM:Trunk/Project1]
Dev1 = r
[IAM:Trunk/Project1/one.properties]
Dev1 =
As per the redbean book, path based auth only points to the use of AuthzSVNAccessFile. What i'd like to know is if its possible to do both, and how.
Path based authorisation can be done via group/user
Create groups
[groups]
readonly-developers = harry, sally, joe
readwrite-developers = frank, sally, jane
everyone = harry, sally, joe, frank, jane
Groups can be granted access control just like users. Distinguish them with an βatβ (#) prefix:
[reponame1:/projects/calc]
#readwrite-developers = rw
[reponame2:/projects/paint]
#readonly-developers = r
frank =rw;
Following this howto I tried to set up my Debian 8 server with Apache 2.4.10 and MySQL 5.5.50 to use MySQL as authentication backend for my SVN. I get an internal server error and can't figure out why.
First I added the file /etc/apache2/conf-available/dbd_mysql.conf, containing
<IfModule mod_dbd.c>
DBDriver mysql
DBDParams "host=localhost user=THEUSER pass=THEPASS"
DBDMin 2
DBDKeep 4
DBDMax 10
DBDExptime 300
</IfModule>
of course followed by
a2enconfig dbd_mysql
I've set up a MySQL Database "authdb" containing the table "mysql_auth" with basically two important columns, "username" and "password". The specific database is accessible by a user, which I will refer to as "THEUSER" with SELECT permission.
Then I added the site specific configuration in /etc/apache2/site-available/svn.conf:
DBDParams "dbname=authdb"
<Location /svn/private/>
DAV svn
SVNParentPath /svn/private/
AuthzSVNAccessFile /svn/auth/accesslist_private
SSLRequireSSL
AuthUserFile /dev/null
AuthName "SVN"
AuthType Basic
<IfModule mod_authn_dbd.c>
AuthBasicProvider dbd
AuthDBDUserPWQuery "SELECT password FROM mysql_auth WHERE username = %s"
Require valid-user
</IfModule>
</Location>
This site configuration has already been enabled so I restarted the Apache and found something in the log file which I absolutely can not understand:
[dbd:error] [pid 15225] (20014)Internal error: AH00629: Can't connect to mysql: Access denied for user 'A LOCAL SYSTEM USER'#'localhost' (using password: NO)
[dbd:error] [pid 15225] (20014)Internal error: AH00633: failed to initialise
[authn_dbd:error] [pid 15225] [client XX.XX.XX.XX:XYZ] AH01653: Failed to acquire database connection to look up user 'some_user'
This error repeats whenever I try to access my SVN repository.
What is really strange about this is that there is a user in the log file which I absolutely do not expect to find here. It is a system user who as nothing to do with neither MySQL nor Apache. This user is only used to login with SSH. Which point am I missing? Any help would be appreciated!
Finally figured out the problem. Obviously the content of my configuration file was loaded after the content of my site definition.
The solution was as follows: I moved the content from dbd_mysql.conf right in front of the -Definition of my /etc/apache2/site-available/svn.conf, disabled the conf, reloaded Apache and everything worked.
What I haven't figured out yet is, if my configuration is faulty because I would have expected that the configuration is loaded before my site definition which relies on the previous configuration.
I'm having trouble setting up my Subversion.
I'm currently able to access repository directories within the parent directory. i.e http://server.com/svn/project but I receive a Forbidden error if I try to access the parent directory directly http://server.com/svn/
Ideally, I would like to be able to see all my repositories from a single url so I'm trying to get this configured properly.
I have looked at /etc/apache2/conf.d/subversion.conf and I have set
<Location /svn>
DAV svn
SVNParentPath /usr/local/svn
SVNListParentPath on
AuthType Basic
AuthName "My SVN"
AuthUserFile /etc/apache2/conf/user_authentication.conf
AuthzSVNAccessFile /etc/apache2/conf/svn_authorization.conf
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
In /etc/apache2/conf/svn_authorization.conf I have configured
[/]
* = r
[project:/]
user1 = rw
etc..
I'm not quite sure why I am getting forbidden on parent since I believe I have read enabled for all users. I have even tried removing the * = r and putting myUsername = r but still forbidden.
What am I doing wrong?
Subversion won't show you the parent path directly. So "out of the box" you can't get the list of repositories this way. When using the web browser to access your repository, you should use viewvc, because that has many advantages to directly pointing the browser at the repository location (i.e. you can browse the history that way). If you're using a bundled SVN installation such as CollabNet, viewvc is automatically configured for your server, too.
OS: Linux OpenSUSE
Version control - Mercurial
Apache2
I run http ://my.os.name/ it gives me a page - thus apache is running.
I run http ://my.os.name:/hg - It shows me Mercurial page, thus mercurial is
showing up on http Internet Explorer page.
I'm able to create repositories/or do normal work in Mercurial.
What I need.
1. When I open the above Hg link
then, instead of showing me the Mercurial(Hg) repository page home page, it should first check whether I belong to my company or not i.e. it should authenticate using Windows Active Directory or LDAP server.
If I'm making any changes to a file or create a directory / repository in Hg, then it should make sure / authenticate/verify whether I have valid access to do that operation or not.
HOW can I do this, I need step by step help as I'm new in Apache/Mercurial authentication setup.
I have almost read all the Online help in setting this up and so far I'm able to get to a point whether when I open Hg link, I get a popup for username/password prompt, but its not taking it / not working.
I also dont want to create .htpasswd/ .htaccess or digest files. What I'm wondering is that if in Windows Active Directory, if I have a Security group created for ex: Company/Project1_readers, Company/Project1_Contributors, Company/Project1_Repository1_Readers, Company/Project1_Repository2_Contributors... and in those AD security group ids, if I have all the developers added, then using these groups in AD, I want to grant access to developers instead of adding those users in .hg/hgrc file.
(This is what usually we do in TFS (Team foundation Server) to grant/revoke access) instead of messing with files (adding/removing users) in every repository etc.
How can I do the above?
Kindly advise if the best way is only creating .htpasswd/.htaccess/.htdigest etc files...if I'm wrong in achieving the above scenario.
My httpd.conf file Includes another .conf file (which contains)
=========================================
<Directory /srv/www/hg>
Order deny,allow
Deny from All
AuthType Basic
# #AuthName "Apache Web Site: Login with your AD(Active Directory) credentials"
AuthName "Mercurial Repositories"
#
#
# AuthBasicProvider ldap
# AuthzLDAPAuthoritative off
# #AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName
# AuthLDAPURL "ldap://10.211.16.1:389/?samAccountName?sub?(objectClass=user)"
## #ldap://ldap.your-domain.com:389/o=stooges?uid?sub
# AuthLDAPBindDN "cn=xyzserver,OU=Services,OU=Users,OU=Infrastructure,OU=DEN,OU=KSH,DC=Psh,DC=Mason,DC=com"
# #"cn=StoogeAdmin,o=stooges"
# AuthLDAPBindPassword secret1
require valid-user
# require ldap-user
Satisfy any
</Directory>
When I'm using the abvoe LDAP URL in Jenkins, Jenkins is successfully authenticating a user while logging in, then why the same is not working when it's in this server's .conf file. Note, in apache2, the above doesn't have to be in httpd.conf file. Include concept is letting me include the file.conf and file.conf contains the above code. This is as per Apache2 directions as mentioned in httpd.conf file.
Rest of the mercurial files hgwebdir.cgi, hgweb.cgi, hgweb.config are all good (as per online blogs I have read).
I have all the required modules loaded (as they are visible in /etc/apache2/sysconfig.d/loadmodule.conf file (modules which are required for LDAP auth i.e. mod_ldap, mod_authz_ldap etc etc related to ldap and apache).
OK, Prompt part which was not taking my Windows Ldap credentials is now working.
What did I put wrong.
- See line: for AuthLDAPURL and AuthLDAPBindPassword, those were the culprits in my post shown above.
- Cause was, I was new to Windows AD/LDAP concept, so couldn't get a hold of anyone from Systems team in my company. So tried my own hands. The first line for AuthLDAPURL, I got from the GLOBAL configuration file (config.xml) of one of our Jenkins instance.
Jenkins GUI for showing config doesn't show passwords (as they are masked) so there you'll see Manager's DN password as "* * * * * *".
So, I thought I should open the config.xml file of Jenkins instance and got the password "secret1" from there. Actually "secret1" is just an example, in reality it was some crazy value over there like "VVX12##!5GH".
So basically I used that earlier which didn't work as for LDAP authentication to work correctly, you have to talk to someone in SYSTEMS team or the person WHO actually did the setup in Jenkins instance for LDAP authentication there.
Finally I got the password, and it worked.
Resolution: See below what I changed.
One important thing to notice is that, in Jenkins, AUTHURL for LDAP was:
AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName
but,
from a Unix/Linux/in my case, SUSE machine, we have to change this line a little bit to
AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName?sub
For more on this (Apache2.2 on connecting to Windows AD(Active Directory) authentication):
PS: http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html
and then
- I put the correct password for cn=xyzserver (Manager DN user id) in the file and all was good then.
Snapshot of apache config file or the file which you have created separately and included in your httpd.file or through /etc/sysconfig/apache2 filer (variable APACHE_INCLUDE...) now looks like:
<Directory /srv/www/htdocs/hg>
Order deny,allow
Deny from All
AuthType Basic
AuthName "LDAP Access - Mercurial"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName?sub
#AuthLDAPURL "ldap://10.211.16.1:389/OU=TSH,DC=Mason,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "cn=xyzserver,OU=Services,OU=Users,OU=Infrastructure,OU=DEN,OU=KSH,DC=Psh,DC=Mason,DC=com"
AuthLDAPBindPassword CorrectPassword!
# require ldap-user c149807
# AuthUserFile "/dev/null"
require valid-user
Satisfy any
</Directory>
I'll work on getting the user access part now on the actual repository as Auth part is done from IE(Internet Explorer) to Hg(Mercurial) from Linux/Unix/OpenSUSE machine.
if prompted multiple times for user credentials in mercurial. Setup Mercurial_Keyring and then
this question comes which nobody explained in an easy way.
??? how to make the [auth] xx.prefix = servername/hg_or_something work for all repositories under servername/hg location either if I use servername, servername's IP or servername's FQDN ?
ANSWER: Arun β’ 2 minutes ago
β
OK, I put this in ~/.hgrc (Linux/Unix -home directory's .hgrc hidden file) or Windows users %UserProfile%/mercurial.ini or %HOME%/mercurial.ini file.
[auth]
default1.schemes = http https
default1.prefix = hg_merc_server/hg
default1.username = c123456
default2.schemes = http https
default2.prefix = hg_merc_server.company.com/hg
default2.username = c123456
default3.schemes = http https
default3.prefix = 10.211.222.321/hg
default3.username = c123456
Now, I can checkout using either Server/IP/Server's FQDN.
I have repositories created in C:\Data\Subversion as well as sub-folders like C:\Data\Subversion\Dev-Mobile.
I can give per project access to users for the repos in the root folder without problems. For that I'm adding those lines in svn-acl:
[Project1:/]
Test = rw
However, I try to give access for a repo in a sub-folder but it doesn't work:
[Test161:/Dev-Mobile]
Test = rw
The project is declared in subversion.conf as:
<Location /Dev-Mobile/Test161>
DAV svn
SVNPath C:/Data/Subversion/Dev-Mobile/Test161
AuthType Basic
AuthName "Test161 Repository"
AuthUserFile c:/Data/Subversion/svn-auth-file
Require valid-user
AuthzSVNAccessFile c:/Data/Subversion/svn-acl
</Location>
What am I doing wrong?
I'm not an expert on the syntax of the svn-acl file. But I think that the syntax
[Test161:/Dev-Mobile]
Test = rw
is meant for configuring the permissions of the sub-folder /Dev-Mobile of an existing repository Test161. That is, it seems you are getting the identification of the repository and the folder within the repository confused.
The problem was that I tried to add the subfolder in the path (after :/) since this was the logical thing to do but I've found out Subversion will automatically scan the subdirs.
So this is the correct sintex no matter if the repo is in the root or a subfolder!
[Test161:/]
Test = rw