I build a SVN server with apache. It work fine.
I don't want to anonymous could checkout, so I set httpd like
<location /svn>
DAV svn
SVNListParentPath Off
SVNParentPath C:/SVN/
Satisfy All
AuthType Basic
AuthName "Subversion Dir"
AuthUserFile "C:\Program Files (x86)\Subversion\svn-auth-conf.txt"
AuthzSVNAccessFile "C:\Program Files (x86)\Subversion\svn-acl-conf.txt"
Require valid-user
</location>
but I still can checkout by commnd line like
svn co http://repos test
without any username and password
How can I do to solve this issue?
You may have stored credentials for this URL
Remove Satisfy - read "Blanket access control" in SVN Book with sample
AuthName ...
AuthType ...
AuthUserFile ...
Require valid-user
Related
I want to restrict access of selected users to selected SVN repositories by Apache. However, as I did the configuration using the authz mechanism, I don't have any access to the repositories after logging into SVN. http://<my_server>/svn/ displays a "Collection of Repositories" list which is empty. http://<my_server>/svn/mytestrepo1 is showing "Forbidden You don't have permission to access this resource."
The configuration looks like this (Debian OS):
the repositories are located in /svn directory
I created the users with the command htpasswd -cm /etc/apache2/dav_svn.passwd admin1
content of the /etc/apache2/mods-enabled/dav_svn.conf file:
<Location /svn>
DAV svn
SVNParentPath /svn
SVNListParentPath On
AuthType Basic
AuthName "SVN repos"
AuthUserFile /etc/apache2/dav_svn.passwd
AuthzSVNAccessFile /etc/apache2/svn_access.acl
# <LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
# </LimitExcept>
</Location>
content of the /etc/apache2/svn_access.acl file:
[groups]
admin = admin1
users = test1
[/]
* = r
#admin = rw
[repo:/mytestrepo1]
#users = rw
How can I solve this problem?
Ok, I found it. My svn_access.acl file had a lot of tabbed and commented lines. When I cleaned it and started with simple:
[/]
* = rw
it is working.
Initially I have installed apache server 2.4 in windows server 2012 R2 and i have installed apache subversion 1.8.7 and i have copied module files(.so files) from subversion to apache server.I have created a repository. I have setup the "AuthUserFile" and "AuthzSVNAccessFile" I have given following code in httpd.conf
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
AuthType Basic
AuthName "Subversion Project1 repository"
AuthUserFile c:/etc/svn-auth-file
Require valid-user
AuthzSVNAccessFile c:/etc/svn-acl
</Location>
I have used tortoise svn client to connect to repository which i have successfully connected I have successfully created files,commit the files.
Later i want to setup authentication with the active directory I have added following code in http.conf file
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
SVNParentPath E:\svn_testing
SVNListparentPath on
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
#AuthzLDAPAuthoritative off
AuthName "Active_directory_integration"
AuthzSVNAccessFile C:\etc\svn-acl
AuthLDAPURL "ldap://***********(ip address):389/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
#this assumes you have created a dedicated bind user "apache_bind" on your active directory
AuthLDAPBindDN "CN=Administrator,CN=users,DC=*******,DC=com"
#warning: this password for AD apache_bind user is in plain text!
AuthLDAPBindPassword *************
#AuthLDAPFollowReferrals off
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
#SSLRequireSSL
require ldap-group OU=********,DC=********,DC=com
#require valid-user
</Location>
But when i try to restart the server apache server it is showing "The Requested operation has failed" I have checked the log files but there is nothing there
It seem you are trying to search the whole AD-Catalog, as you do not specify any OU. this is not supported by Windows AD. However the whole Catalog is available by using port 3268
Please try this:
AuthLDAPURL "ldap://***********(ip address):3268/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPGroupAttribute member
require ldap-group OU=********,DC=********,DC=com
Organizational Units (ou) dont have the attribute member, according to https://msdn.microsoft.com/en-us/library/ms683886(v=vs.85).aspx.
You should try the DN of the group you want to access your repo.
On my server this would look like this:
require ldap-group cn=thegroup,ou=groups,dc=example,dc=com
Notice the cn, which is a groupOfNames with the member attribute in my case.
I goggoled a lot about the feature to have multipe repositorie in different location on a server with apache2.
All describe to modify /etc/apache2/mods-available/dav_svn.conf as below:
# Subversion - team A
<Location "/a">
DAV svn
SVNPath /svn/team-a
SVNIndexXSLT "/svnindex.xsl"
</Location>
# Subversion - team B
<Location "/b">
DAV svn
SVNPath /svn/team-b
SVNIndexXSLT "/svnindex.xsl"
</Location>
I tried to modify mine, but it does not work. Below my config:
<Location /Repo1>
DAV svn
SVNParentPath /home/xxx/repositories/Repo1/
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/svn-users
</Location>
<Location /Repo2>
DAV svn
SVNParentPath /home/xxx/repositories/Repo2/
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/svn-users
</Location>
With this config none of two repositories work. If I enable 1 per time, the single repo works.
As you can see I want root repositories in different path: each root has different subrepositories.
SVNParentPath != SVNPath
SVNParentPath is parent-dir of all repos for location, but not repo
At the end it was a problem on rabbit SVN.
Using terminal all is ok.
Reinstalling RabbitSVN all is working well.
I'm trying to configure my server to use the Apache Module mod_auth_digest directive only am having a tough time. Here's what I've got:
htdigest -c passwdfile registered_users#mydomain.net andy
'passwdfile' resides in
/var/www/
and in my httpd.conf file
<Location /var/www/mydomain/wp-admin/>
AuthType Digest
AuthName "private area"
AuthDigestDomain /var/www/mydomain/wp-admin/
AuthDigestProvider file
AuthUserFile /var/www/passwdfile
Require valid-user
</Location>
both mod_authn_file & mod_auth_digest are present on my server. Upon browsing to
http://mydomain.net/wp-admin I'm expecting to be prompted by Apache for a username and password only am not!
The location directive maps to the request URI not a server path.
Change
<Location /var/www/mydomain/wp-admin/>
To
<Location /wp-admin>
See docs here: https://httpd.apache.org/docs/2.4/mod/core.html#location
I am setting up SVN on a Red Hat Linux machine. My scenario is that I have two projects in the same directory:
/var/www/svn/proj1
/var/www/svn/proj2
My subversion.conf has the following configurations:
<Location /svn/proj1>
DAV svn
SVNPath /var/www/svn/proj1
AuthzSVNAccessFile /etc/svn_proj1-acl-conf
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
Require valid-user
</Location>
<Location /svn/proj2/>
DAV svn
SVNParentPath /var/www/svn/proj2
SVNListParentPath on
AuthzSVNAccessFile /etc/svn_proj2-acl-conf
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
Require valid-user
</Location>
For project1 my URL http://www.example.com/svn/proj1 works pretty good, but for project2 I need to add trailing slash in the end of URL, http://www.example.com/svn/proj2/ or else it doesn't return with a user/password window.
If I remove the trailing slash from the location directive,
<Location /svn/proj2>
then it starts giving a 403 Forbidden error, no matter if I use a slash or not in the browser.
I am using it with TortoiseSVN, but project2 isn't working at all.
What should I look at in configurations?
Confused. Confused. Confused...
But, I'm easily confused...
You have two projects. The first one you use:
SVNPath /var/www/svn/proj1
and the second you use:
SVNParentPath /var/www/svn/proj2
Why is one SVNPath and the other SVNParentPath? There's a difference. You specify SVNPath when you refer to a particular repository. You use SVNParentPath when you refer to a directory that contains multiple repositories.
So, exactly what is your setup? I have a feeling that they both should be SVNPath.
By the way, I notice you have the same user list, but separate AuthzSVNAccessFile access files. Are you merely stopping people from committing, or are you preventing people from reading particular files and directories?
Normal practice is to allow users to see all files, but to prevent commit access. In that case, you may want to do that outside of Apache httpd, using my pre-commit hook. This allows you to do two things:
Turn off directory checking access which speeds up Subversion.
Change commit permissions without restarting Apache httpd.
You can then configure both directories in a single configuration:
<Location /svn>
DAV svn
SVNParentPath /var/www/svn
SVNListParentPath on
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
SVNPathAuthz off
Require valid-user
</Location>
Of course, if you're using AuthzPath to prevent read access, you have to use the AuthzSVNAccessFile parameter. But, it makes things more complex, and it slows you down. I usually recommend against it unless users aren't suppose to be able to peek at each other repos (which is quite rare).
And, one more thing... Do your users have LDAP or Windows Active Directory accounts? If so, you can use that to determine Subversion repository access:
LoadModule authnz_ldap_module modules/authnz_ldap.so
<Location /svn>
DAV svn
SVNParentPath /var/www/svn
SVNListParentPath on
AuthType basic
AuthName "Subversion Repository"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://windomain.mycorp.com:3268/dc=mycorp,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=svn_user,OU=Users,DC=mycorp,DC=com"
AuthLDAPBindPassword "swordfish"
Require ldap-group CN=developers,CN=Users,DC=mycorp,DC=com
</Location>
This way, if a user has a Windows account (or is in your LDAP database), and that user is in the developers group, they automatically have access to your Subversion repositories (note the SVNParentPath for both repos and any future ones). This way, you're not constantly adding and subtracting users out of your SVN AUthorization file. Plus, you're not constantly retrieving forgotten passwords.
Now, that's all your Windows administrator's responsibility. It's magic. I made your task their job. User doesn't have Subversion access? No longer your problem. More time to play Angry Birds.
One more tiny thing: I have a feeling you don't want to place your repository under /var/www for the simple reason that might be your document root. If you're not careful, you might be granting direct access to your Subversion repository directory.
You're better off putting them elsewhere and changing the SVNParentPath.
The Location and SVNParentPath directive should have the same trailing slash rule: either with or without.
So it should be:
<Location /svn/proj2/> <--- Here trailing slash (or not)
[..]
SVNPath /var/www/svn/proj2/ <--- Here same like Location
[...]
</Location>