Following this howto I tried to set up my Debian 8 server with Apache 2.4.10 and MySQL 5.5.50 to use MySQL as authentication backend for my SVN. I get an internal server error and can't figure out why.
First I added the file /etc/apache2/conf-available/dbd_mysql.conf, containing
<IfModule mod_dbd.c>
DBDriver mysql
DBDParams "host=localhost user=THEUSER pass=THEPASS"
DBDMin 2
DBDKeep 4
DBDMax 10
DBDExptime 300
</IfModule>
of course followed by
a2enconfig dbd_mysql
I've set up a MySQL Database "authdb" containing the table "mysql_auth" with basically two important columns, "username" and "password". The specific database is accessible by a user, which I will refer to as "THEUSER" with SELECT permission.
Then I added the site specific configuration in /etc/apache2/site-available/svn.conf:
DBDParams "dbname=authdb"
<Location /svn/private/>
DAV svn
SVNParentPath /svn/private/
AuthzSVNAccessFile /svn/auth/accesslist_private
SSLRequireSSL
AuthUserFile /dev/null
AuthName "SVN"
AuthType Basic
<IfModule mod_authn_dbd.c>
AuthBasicProvider dbd
AuthDBDUserPWQuery "SELECT password FROM mysql_auth WHERE username = %s"
Require valid-user
</IfModule>
</Location>
This site configuration has already been enabled so I restarted the Apache and found something in the log file which I absolutely can not understand:
[dbd:error] [pid 15225] (20014)Internal error: AH00629: Can't connect to mysql: Access denied for user 'A LOCAL SYSTEM USER'#'localhost' (using password: NO)
[dbd:error] [pid 15225] (20014)Internal error: AH00633: failed to initialise
[authn_dbd:error] [pid 15225] [client XX.XX.XX.XX:XYZ] AH01653: Failed to acquire database connection to look up user 'some_user'
This error repeats whenever I try to access my SVN repository.
What is really strange about this is that there is a user in the log file which I absolutely do not expect to find here. It is a system user who as nothing to do with neither MySQL nor Apache. This user is only used to login with SSH. Which point am I missing? Any help would be appreciated!
Finally figured out the problem. Obviously the content of my configuration file was loaded after the content of my site definition.
The solution was as follows: I moved the content from dbd_mysql.conf right in front of the -Definition of my /etc/apache2/site-available/svn.conf, disabled the conf, reloaded Apache and everything worked.
What I haven't figured out yet is, if my configuration is faulty because I would have expected that the configuration is loaded before my site definition which relies on the previous configuration.
I am testing SVN user for the read only access: following are is the configuration that I have in apache2 and svn repo conf:
However my test user have read and write access, instead I want read only access.
repo location
/svn/test/
file: /etc/apache2/conf.d/svn.conf
<location /repos>
DAV svn
#svn path
SVNParentPath /svn/
AuthType Basic
AuthName "Authorization Realm"
#password file path
AuthUserFile /etc/subversion/test.users
Require valid-user
</location>
authz conf (only one entry)
file: /svn/test/conf/authz
[test:/svn/test/]
* = r
also tried: following
[groups]
readonly = user1, user2
[/]
*=r
#readonly=r
also tried: following
[groups]
readonly = user1, user2
[10.29.3.238:80/repos/test]
*=r
You have authz-file, but don't use it: you miss at least one directive in SVN-location
AuthzSVNAccessFile /svn/test/conf/authz
You last authz-file is wrongly-formatted: path-section must have format without URL or IP of host, only [repository-name:/path/on/this/repo] ([/]is special case). I.e for [test:/svn/test/] after adding AuthzSVNAccessFile you define folder /svn/test/ in repository test as RO for everybody, second attempt is excessive: * = r will define all repositories RO for everybody, #readonly = r also RO for additional group (which is part of "Everybody" *)
I recently set up an svn repo with authentication.
Our PC users are using tortoise SVN and are able to checkout, commit, etc.
Our Mac OS users are using SmartSVN and when trying to checkout they get the following error:
Repository moved permanently; please relocate OPTIONS
request failed on'/'
I ran into this issue when setting it up initially with tortoisesvn and the solution was making sure that that svn repo wasn't a child of the www directory. So I placed it in the home directory
The home directory looks like the following:
/public_html
/repos
/www
The vhost conf file looks like:
<IfModule mod_dav_svn.c>
<Location /repos/>
DAV svn
SVNParentPath /data/svn/repos/
SVNListParentPath On
AuthType Basic
AuthName "SVN Repository"
AuthUserFile /data/svn/.htpasswds/.svn.htpasswd
AuthzSVNAccessFile /data/svn/.htpasswds/.svn.authz
Require valid-user
</Location>
</IfModule>
Both PC and Mac users are able to view the repositories with the proper authentication in a browser. The only issue is when trying to checkout when using SmartSVN on MacOS.
There aren't any errors in the log that I can see that relate.
Edit: Clarification
All users are checking out the repos with a url format like:
http://svn.myserver.com/repos/REPONAME
Both PC and Mac users are able to view the repositories with the proper authentication in a browser
Browser in your case is not the best testing-tool. CLI-based SVN-client will give more details about problem
In your case Mac-users (I suppose) tried to read repository root, not repository (it's possible in browser only with SVNListParentPath On in config, as you have). Any SVN client on any OS (for current stable 1.7) can not read SVNParentPath (promised to be changed in 1.8) and must to use
svn ls SERVER/repos/REPONAME as minimal root-level for single repository
Originally our svn was using a single repository and we changed it to use a collection of repositories. We were still using the same subdomain "svn.server.com" with the main difference that our collection is now svn.server.com/repos/
SmartSVN stored the old url "svn.server.com" and seemed to ignore the new supplied url during checkout (svn.server.com/repos/TEST)
The solution is simple.
SmartSVN > Preferences > Authentication
Delete the old record and then try to check out again.
OS: Linux OpenSUSE
Version control - Mercurial
Apache2
I run http ://my.os.name/ it gives me a page - thus apache is running.
I run http ://my.os.name:/hg - It shows me Mercurial page, thus mercurial is
showing up on http Internet Explorer page.
I'm able to create repositories/or do normal work in Mercurial.
What I need.
1. When I open the above Hg link
then, instead of showing me the Mercurial(Hg) repository page home page, it should first check whether I belong to my company or not i.e. it should authenticate using Windows Active Directory or LDAP server.
If I'm making any changes to a file or create a directory / repository in Hg, then it should make sure / authenticate/verify whether I have valid access to do that operation or not.
HOW can I do this, I need step by step help as I'm new in Apache/Mercurial authentication setup.
I have almost read all the Online help in setting this up and so far I'm able to get to a point whether when I open Hg link, I get a popup for username/password prompt, but its not taking it / not working.
I also dont want to create .htpasswd/ .htaccess or digest files. What I'm wondering is that if in Windows Active Directory, if I have a Security group created for ex: Company/Project1_readers, Company/Project1_Contributors, Company/Project1_Repository1_Readers, Company/Project1_Repository2_Contributors... and in those AD security group ids, if I have all the developers added, then using these groups in AD, I want to grant access to developers instead of adding those users in .hg/hgrc file.
(This is what usually we do in TFS (Team foundation Server) to grant/revoke access) instead of messing with files (adding/removing users) in every repository etc.
How can I do the above?
Kindly advise if the best way is only creating .htpasswd/.htaccess/.htdigest etc files...if I'm wrong in achieving the above scenario.
My httpd.conf file Includes another .conf file (which contains)
=========================================
<Directory /srv/www/hg>
Order deny,allow
Deny from All
AuthType Basic
# #AuthName "Apache Web Site: Login with your AD(Active Directory) credentials"
AuthName "Mercurial Repositories"
#
#
# AuthBasicProvider ldap
# AuthzLDAPAuthoritative off
# #AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName
# AuthLDAPURL "ldap://10.211.16.1:389/?samAccountName?sub?(objectClass=user)"
## #ldap://ldap.your-domain.com:389/o=stooges?uid?sub
# AuthLDAPBindDN "cn=xyzserver,OU=Services,OU=Users,OU=Infrastructure,OU=DEN,OU=KSH,DC=Psh,DC=Mason,DC=com"
# #"cn=StoogeAdmin,o=stooges"
# AuthLDAPBindPassword secret1
require valid-user
# require ldap-user
Satisfy any
</Directory>
When I'm using the abvoe LDAP URL in Jenkins, Jenkins is successfully authenticating a user while logging in, then why the same is not working when it's in this server's .conf file. Note, in apache2, the above doesn't have to be in httpd.conf file. Include concept is letting me include the file.conf and file.conf contains the above code. This is as per Apache2 directions as mentioned in httpd.conf file.
Rest of the mercurial files hgwebdir.cgi, hgweb.cgi, hgweb.config are all good (as per online blogs I have read).
I have all the required modules loaded (as they are visible in /etc/apache2/sysconfig.d/loadmodule.conf file (modules which are required for LDAP auth i.e. mod_ldap, mod_authz_ldap etc etc related to ldap and apache).
OK, Prompt part which was not taking my Windows Ldap credentials is now working.
What did I put wrong.
- See line: for AuthLDAPURL and AuthLDAPBindPassword, those were the culprits in my post shown above.
- Cause was, I was new to Windows AD/LDAP concept, so couldn't get a hold of anyone from Systems team in my company. So tried my own hands. The first line for AuthLDAPURL, I got from the GLOBAL configuration file (config.xml) of one of our Jenkins instance.
Jenkins GUI for showing config doesn't show passwords (as they are masked) so there you'll see Manager's DN password as "* * * * * *".
So, I thought I should open the config.xml file of Jenkins instance and got the password "secret1" from there. Actually "secret1" is just an example, in reality it was some crazy value over there like "VVX12##!5GH".
So basically I used that earlier which didn't work as for LDAP authentication to work correctly, you have to talk to someone in SYSTEMS team or the person WHO actually did the setup in Jenkins instance for LDAP authentication there.
Finally I got the password, and it worked.
Resolution: See below what I changed.
One important thing to notice is that, in Jenkins, AUTHURL for LDAP was:
AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName
but,
from a Unix/Linux/in my case, SUSE machine, we have to change this line a little bit to
AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName?sub
For more on this (Apache2.2 on connecting to Windows AD(Active Directory) authentication):
PS: http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html
and then
- I put the correct password for cn=xyzserver (Manager DN user id) in the file and all was good then.
Snapshot of apache config file or the file which you have created separately and included in your httpd.file or through /etc/sysconfig/apache2 filer (variable APACHE_INCLUDE...) now looks like:
<Directory /srv/www/htdocs/hg>
Order deny,allow
Deny from All
AuthType Basic
AuthName "LDAP Access - Mercurial"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName?sub
#AuthLDAPURL "ldap://10.211.16.1:389/OU=TSH,DC=Mason,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "cn=xyzserver,OU=Services,OU=Users,OU=Infrastructure,OU=DEN,OU=KSH,DC=Psh,DC=Mason,DC=com"
AuthLDAPBindPassword CorrectPassword!
# require ldap-user c149807
# AuthUserFile "/dev/null"
require valid-user
Satisfy any
</Directory>
I'll work on getting the user access part now on the actual repository as Auth part is done from IE(Internet Explorer) to Hg(Mercurial) from Linux/Unix/OpenSUSE machine.
if prompted multiple times for user credentials in mercurial. Setup Mercurial_Keyring and then
this question comes which nobody explained in an easy way.
??? how to make the [auth] xx.prefix = servername/hg_or_something work for all repositories under servername/hg location either if I use servername, servername's IP or servername's FQDN ?
ANSWER: Arun • 2 minutes ago
−
OK, I put this in ~/.hgrc (Linux/Unix -home directory's .hgrc hidden file) or Windows users %UserProfile%/mercurial.ini or %HOME%/mercurial.ini file.
[auth]
default1.schemes = http https
default1.prefix = hg_merc_server/hg
default1.username = c123456
default2.schemes = http https
default2.prefix = hg_merc_server.company.com/hg
default2.username = c123456
default3.schemes = http https
default3.prefix = 10.211.222.321/hg
default3.username = c123456
Now, I can checkout using either Server/IP/Server's FQDN.
I have repositories created in C:\Data\Subversion as well as sub-folders like C:\Data\Subversion\Dev-Mobile.
I can give per project access to users for the repos in the root folder without problems. For that I'm adding those lines in svn-acl:
[Project1:/]
Test = rw
However, I try to give access for a repo in a sub-folder but it doesn't work:
[Test161:/Dev-Mobile]
Test = rw
The project is declared in subversion.conf as:
<Location /Dev-Mobile/Test161>
DAV svn
SVNPath C:/Data/Subversion/Dev-Mobile/Test161
AuthType Basic
AuthName "Test161 Repository"
AuthUserFile c:/Data/Subversion/svn-auth-file
Require valid-user
AuthzSVNAccessFile c:/Data/Subversion/svn-acl
</Location>
What am I doing wrong?
I'm not an expert on the syntax of the svn-acl file. But I think that the syntax
[Test161:/Dev-Mobile]
Test = rw
is meant for configuring the permissions of the sub-folder /Dev-Mobile of an existing repository Test161. That is, it seems you are getting the identification of the repository and the folder within the repository confused.
The problem was that I tried to add the subfolder in the path (after :/) since this was the logical thing to do but I've found out Subversion will automatically scan the subdirs.
So this is the correct sintex no matter if the repo is in the root or a subfolder!
[Test161:/]
Test = rw