Wednesday, 13 February 2008

Configuring Subversion authentication using Windows Active Directory and Basic Auth from a file - problems encountered and workaround

At work we use Apache+SVN+SSPI to authenticate to Subversion using
Windows authentication. This keeps everyone's SVN logins updated
whenever their network logins change. All well and good, but then we
had to set up a build server using Cruisecontrol, and we are not able
to get a Windows network username for that. So we had to create a user
set up in a config file, and use Basic Auth for that.

WHAT DIDN'T WORK:

The first attempt at configuring Apache's httpd.conf, which was the
example show in other blogs and forum posts was something like:
# Location of our Subversion repository
<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath "D:\repository\svn"
AuthName "Subversion repositories"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative Off
SSPIDomain NEWS
SSPIOfferBasic On
# need to set this up so only select users/ group can have chk-in access.
# might want to restrict who can read as well.
# make sure this file is outside the SVNParentPath
AuthzSVNAccessFile "D:\repository\svnaccessfile.txt"

AuthType Basic
# make sure this file is outside the SVNParentPath
AuthUserFile "D:\repository\svn-httpasswd.txt"
AuthBasicAuthoritative Off
Require valid-user
</Location>

The problem was it never worked. The Basic Authentication never
worked. Only the Windows Authentication allowed me to get in.




WHAT WORKED:


So I ended up creating another Apache <Location> for use solely by
CruiseControl. And this has worked fine without any problems.

# Location of our Subversion repository
<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath "D:\repository\svn"
AuthType SSPI
AuthName "Subversion repositories - Active Directory authentication"
SSPIAuth On
SSPIAuthoritative On
SSPIDomain NEWS
SSPIOfferBasic On
# need to set this up so only select users/ group can have chk-in access.
# might want to restrict who can read as well.
# make sure this file is outside the SVNParentPath
AuthzSVNAccessFile "D:\repository\svnaccessfile.txt"
Require valid-user
</Location>
# we were unable to get the /svn working to use BOTH Active Directory
and Basic Auth from a file,
# so we have to set up another one.
# Location of our Subversion repository used only by CruiseControl
# all others should use the standard /svn URL defined above
<Location /cruisecontrol>
DAV svn
SVNListParentPath on
SVNParentPath "D:\repository\svn"
AuthName "Cruisecontrol Subversion repositories"
AuthType Basic
# make sure this file is outside the SVNParentPath
AuthUserFile "D:\repository\svn-httpasswd.txt"
Require user cruisecontrol
</Location>

6 comments:

Alain O'Dea said...

SSPI owns. It makes the configuration so much easier. I have a similar how-to at http://concise-software.blogspot.com/2009/02/instant-windows-svn-server-with-ssl-and.html on my blog. It gets into the nitty-gritty of every step required from a base install of Windows server up to having the full Apache SSL ActiveDirectory Subversion server going.

I missed the cruisecontrol authentication piece in mine though. Your solution to that is awesome. We had an ActiveDirectory account for that and it definitely complicates things. I will propose that we do it the way you are since it seems to be much clearer and easier to manage.

krangsquared said...

Hi Alain, thanks for the comment. Glad it was of use to you.

Great info you've got there on your blog. We thought about using SSL but since it was all internal anyway, and the only remote access is through VPN, we decided there wasn't any point.

The separate Apache location for /cruisecontrol was really just a workaround, since we weren't in control of Active Directory, and getting something customised on AD was going to be very cumbersome, if not impossible. It would have been cleaner if everything was going through AD.

Paul said...

Great solution, thanks - seems so obvious in hindsight I am mad I didn't think of the separate Location elements:) To help others find your workaround I would change the title of the post though - maybe something like "...I tried, failed and found a workaround!"

Paul said...

Just as a strong recommendation, I would enable SSL for your subversion since domain account passwords are sent in cleartext over HTTP which is too easy to sniff - people with axes to grind are usually inside your firewall:)

krangsquared said...

Thanks Paul, I've modified the title and added some headings for clarity and easier scanning of the text.

That's a good point about SSL on Subversion. I think a lot of workplaces have the attitude of "It's for internal use only, then it's a trusted environment anyway, so why bother?" Hard to believe that even huge companies can be this naive when it comes to these things. (In my defense, I was told to not bother with SSL and just get something up and running!)

Cory said...

Great post, my last issue is around svn:externals that are in our SVN repository. The externals currently point to the SSPI tag and therefore, fail under Cruise Control's checkouts and updates.

Any ideas there?