Apache URL variable for SVN and LDAP - apache

This is more of a question related to how Apache handles variables and the SetEnvIf directive. I have a Subversion server located at http://test.net/svn with the following configuration for SVN:
<Location /svn>
DAV svn
SVNParentPath /path/to/repo/base
AuthzSVNAccessFile /path/to/access
AuthName "LDAP Auth"
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://172.20.20.20:389/dc=test,dc=net?uid" NONE
AuthLDAPBindDN "cn=svn,ou=system,dc=test,dc=net"
AuthLDAPBindPassword secret
Require valid-user
</Location>
Inside "/path/to/repo/base", I have around 80 repositories, each accessed by http://test.net/svn/repo-name. This one Apache configuration handles authentication for all of the repositories using the "/path/to/access file".
In the future, I'll do authorization using LDAP groups. However, I don't want to create separate Apache configurations for each repository. Basically, I would like to set a variable for the repository name using the Request URI. For example, I access http://test.net/svn/repo-name/path/to/file.txt and Apache knows that "repo-name" is the variable.
Something like this (syntax is not correct, just pseudo-code):
SetEnvIf Request_URI "http://test.net/svn/$1/.*" repo-name=$1
...
...
Require ldap-group cn=$repo-name,ou=system,dc=test,dc=net

Related

Integrate apache subversion with the active directory in windows server

Initially I have installed apache server 2.4 in windows server 2012 R2 and i have installed apache subversion 1.8.7 and i have copied module files(.so files) from subversion to apache server.I have created a repository. I have setup the "AuthUserFile" and "AuthzSVNAccessFile" I have given following code in httpd.conf
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
AuthType Basic
AuthName "Subversion Project1 repository"
AuthUserFile c:/etc/svn-auth-file
Require valid-user
AuthzSVNAccessFile c:/etc/svn-acl
</Location>
I have used tortoise svn client to connect to repository which i have successfully connected I have successfully created files,commit the files.
Later i want to setup authentication with the active directory I have added following code in http.conf file
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
SVNParentPath E:\svn_testing
SVNListparentPath on
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
#AuthzLDAPAuthoritative off
AuthName "Active_directory_integration"
AuthzSVNAccessFile C:\etc\svn-acl
AuthLDAPURL "ldap://***********(ip address):389/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
#this assumes you have created a dedicated bind user "apache_bind" on your active directory
AuthLDAPBindDN "CN=Administrator,CN=users,DC=*******,DC=com"
#warning: this password for AD apache_bind user is in plain text!
AuthLDAPBindPassword *************
#AuthLDAPFollowReferrals off
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
#SSLRequireSSL
require ldap-group OU=********,DC=********,DC=com
#require valid-user
</Location>
But when i try to restart the server apache server it is showing "The Requested operation has failed" I have checked the log files but there is nothing there
It seem you are trying to search the whole AD-Catalog, as you do not specify any OU. this is not supported by Windows AD. However the whole Catalog is available by using port 3268
Please try this:
AuthLDAPURL "ldap://***********(ip address):3268/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPGroupAttribute member
require ldap-group OU=********,DC=********,DC=com
Organizational Units (ou) dont have the attribute member, according to https://msdn.microsoft.com/en-us/library/ms683886(v=vs.85).aspx.
You should try the DN of the group you want to access your repo.
On my server this would look like this:
require ldap-group cn=thegroup,ou=groups,dc=example,dc=com
Notice the cn, which is a groupOfNames with the member attribute in my case.

SVN Repo works without authentication

I have created SVN host using:
<Location /svn>
DAV svn
SVNParentPath /home/xxx/xxx/xxx/xxx/Main_Folder/company-1
AuthType Basic
SVNListParentPath On
AuthName "Test"
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>`
Although I have specified user privileges in svnserve.conf, it does not seem to "take it" because I can access the repository (see below) without any prompt for user/password.
Can you please point what am I doing wrong?
Thanks!
Read the docs, it seems that you use a wrong configuration file.
Configuration settings in the file svnserve.conf do not have any effect in this particular case. Your server runs Apache and Apache does not process svnserve.conf. This configuration file is used by svnserve custom server only.

Apache2 - classification/authentication per location

I'm developing a client-server application with WebDAV functionality. Apache2 is used as webserver, a Windows Phone application as client. I'm working with classifications: TOPSECRET - SECRET - CONFIDENTIAL - PUBLIC.
TOPSECRET: SSL mutual authentication + password/username
SECRET: SSL mutual authentication
CONFIDENTIAL: password/username
PUBLIC: no authentication (but SSL is required)
So far, it's working with this configuration in Apache2: the user must choose at which level he wants to authenticate and he will be directed to the correct folder.
#For webdav configuration
Alias /public /home/bram/Desktop/webdav/public
Alias /confidential /home/bram/Desktop/webdav/confidential
Alias /secret /home/bram/Desktop/webdav/secret
Alias /topsecret /home/bram/Desktop/webdav/topsecret
<Location /public>
#no authentication required
DAV On
Satisfy Any
Allow from all
SSLVerifyClient none
</Location>
<Location /confidential>
#only username-password authentication
DAV On
Satisfy Any
Allow from all
SSLVerifyClient none
AuthType Digest
AuthName "DavCompany
AuthUserFile /home/bram/Desktop/password/digest-password
Require valid-user
</Location>
<Location /secret>
#only strong/device authentication (mutual SSL)
DAV On
Satisfy Any
Allow from all
SSLVerifyClient require
SSLVerifyDepth 3
</Location>
<Location /topsecret>
#Device + username-password authentication
DAV On
Satisfy Any
Allow from all
AuthType Digest
AuthName "DavTopsecret"
AuthUserFile /home/bram/Desktop/password/digest-password
Require valid-user
SSLVerifyClient require
SSLVerifyDepth 3
</Location>
My problem: When authenticated in TOPSECRET, the user also has to see the folders SECRET, CONFIDENTIAL end PUBLIC. When authenticated in CONFIDENTIAL or SECRET, the user has to see the folder PUBLIC. I'm not familiar with Apache2.
Has anybody a suggestion to make this work?
This is a tough one. I'd have to experiment to find the answer, but I think you want to try to avoid mixing authorization mechanisms in Apache (you're using SSL's builtins, along with Apache's core mechanisms). You may, also, need this to be more hierarchical.
This perhaps isn't the complete answer, but it should be a starting point. Try setting your "base" permissions in the <VirtualHost> you're working with and vary the Locations within scope:
<VirtualHost *:443>
# other VirtualHost configurations
# ....
SSLVerifyClient optional
SSLVerifyDepth 3
Require ssl
Satisfy all
<Location /confidential>
AuthType digest
AuthName "DavCompany"
AuthUserFile /home/bram/Desktop/password/digest-password
Require valid-user
</Location>
<Location /secret>
Require ssl-verify-client
</Location>
<Location /topsecret>
AuthType Digest
AuthName "DavTopsecret"
AuthUserFile /home/bram/Desktop/password/digest-password
Require ssl-verify-client
Require valid-user
</Location>
</VirtualHost>
I'm sure the above isn't perfect, but I think it is along the right lines for what you're trying to accomplish. I haven't run this through Apache, so it is possible there are mistakes above, but I believe it is roughly accurate.
The idea of what I've done above is to try to keep the overall authorization plan within the same scope. From there, the "tighter" scopes are applied for their specific locations. I do think there is a problem in that the user files are separate, and the AuthName are different for confidential and topsecret. I think, as it is, users with topsecret MAY NOT have access to confidential with their credentials if the AuthUserFile isn't the same.

Apache Module mod_auth_digest

I'm trying to configure my server to use the Apache Module mod_auth_digest directive only am having a tough time. Here's what I've got:
htdigest -c passwdfile registered_users#mydomain.net andy
'passwdfile' resides in
/var/www/
and in my httpd.conf file
<Location /var/www/mydomain/wp-admin/>
AuthType Digest
AuthName "private area"
AuthDigestDomain /var/www/mydomain/wp-admin/
AuthDigestProvider file
AuthUserFile /var/www/passwdfile
Require valid-user
</Location>
both mod_authn_file & mod_auth_digest are present on my server. Upon browsing to
http://mydomain.net/wp-admin I'm expecting to be prompted by Apache for a username and password only am not!
The location directive maps to the request URI not a server path.
Change
<Location /var/www/mydomain/wp-admin/>
To
<Location /wp-admin>
See docs here: https://httpd.apache.org/docs/2.4/mod/core.html#location

SVN, trailing slash in Location directive works on browser, but gives 403 error if removed

I am setting up SVN on a Red Hat Linux machine. My scenario is that I have two projects in the same directory:
/var/www/svn/proj1
/var/www/svn/proj2
My subversion.conf has the following configurations:
<Location /svn/proj1>
DAV svn
SVNPath /var/www/svn/proj1
AuthzSVNAccessFile /etc/svn_proj1-acl-conf
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
Require valid-user
</Location>
<Location /svn/proj2/>
DAV svn
SVNParentPath /var/www/svn/proj2
SVNListParentPath on
AuthzSVNAccessFile /etc/svn_proj2-acl-conf
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
Require valid-user
</Location>
For project1 my URL http://www.example.com/svn/proj1 works pretty good, but for project2 I need to add trailing slash in the end of URL, http://www.example.com/svn/proj2/ or else it doesn't return with a user/password window.
If I remove the trailing slash from the location directive,
<Location /svn/proj2>
then it starts giving a 403 Forbidden error, no matter if I use a slash or not in the browser.
I am using it with TortoiseSVN, but project2 isn't working at all.
What should I look at in configurations?
Confused. Confused. Confused...
But, I'm easily confused...
You have two projects. The first one you use:
SVNPath /var/www/svn/proj1
and the second you use:
SVNParentPath /var/www/svn/proj2
Why is one SVNPath and the other SVNParentPath? There's a difference. You specify SVNPath when you refer to a particular repository. You use SVNParentPath when you refer to a directory that contains multiple repositories.
So, exactly what is your setup? I have a feeling that they both should be SVNPath.
By the way, I notice you have the same user list, but separate AuthzSVNAccessFile access files. Are you merely stopping people from committing, or are you preventing people from reading particular files and directories?
Normal practice is to allow users to see all files, but to prevent commit access. In that case, you may want to do that outside of Apache httpd, using my pre-commit hook. This allows you to do two things:
Turn off directory checking access which speeds up Subversion.
Change commit permissions without restarting Apache httpd.
You can then configure both directories in a single configuration:
<Location /svn>
DAV svn
SVNParentPath /var/www/svn
SVNListParentPath on
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
SVNPathAuthz off
Require valid-user
</Location>
Of course, if you're using AuthzPath to prevent read access, you have to use the AuthzSVNAccessFile parameter. But, it makes things more complex, and it slows you down. I usually recommend against it unless users aren't suppose to be able to peek at each other repos (which is quite rare).
And, one more thing... Do your users have LDAP or Windows Active Directory accounts? If so, you can use that to determine Subversion repository access:
LoadModule authnz_ldap_module modules/authnz_ldap.so
<Location /svn>
DAV svn
SVNParentPath /var/www/svn
SVNListParentPath on
AuthType basic
AuthName "Subversion Repository"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://windomain.mycorp.com:3268/dc=mycorp,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=svn_user,OU=Users,DC=mycorp,DC=com"
AuthLDAPBindPassword "swordfish"
Require ldap-group CN=developers,CN=Users,DC=mycorp,DC=com
</Location>
This way, if a user has a Windows account (or is in your LDAP database), and that user is in the developers group, they automatically have access to your Subversion repositories (note the SVNParentPath for both repos and any future ones). This way, you're not constantly adding and subtracting users out of your SVN AUthorization file. Plus, you're not constantly retrieving forgotten passwords.
Now, that's all your Windows administrator's responsibility. It's magic. I made your task their job. User doesn't have Subversion access? No longer your problem. More time to play Angry Birds.
One more tiny thing: I have a feeling you don't want to place your repository under /var/www for the simple reason that might be your document root. If you're not careful, you might be granting direct access to your Subversion repository directory.
You're better off putting them elsewhere and changing the SVNParentPath.
The Location and SVNParentPath directive should have the same trailing slash rule: either with or without.
So it should be:
<Location /svn/proj2/> <--- Here trailing slash (or not)
[..]
SVNPath /var/www/svn/proj2/ <--- Here same like Location
[...]
</Location>