Saturday, August 18, 2007

Setting up SVN to authenticate against a domain

At work we’ve been developing our latest and greatest project and when we first started we inherited a version control application from a previous team. It has worked okay so far, but we’ve hit the point now where we want to start doing releases for different clients keep specific features with certain versions etc. Our inherited version control software didn’t do the whole versioning thing very nicely so we began looking into different options.
 
SVN ended up being the final choice. A few reasons went into the decision factor. For one it’s free, it’s also widely used, tried and true, and it does versioning much less painfully than our current solution. One thing we wanted to get rid of was having a different set of credentials for our version control. We wanted to just use our domain authentication so we don’t have different passwords for everything. SVN makes this pretty easy to accomplish, so for this article I’m going to give some quick steps on how to achieve this.
 
First you’ll need SVN
 
Second you’ll also need to download Apache. Why do you need Apache for version control?? Well you don’t HAVE to have it, but if you want to authenticate against a domain controller then just download it :)
 
Third you’ll want to download mod_auth_sspi for domain authentication with Apache.
 
Awright now we’re ready to go. Install Apache, this is pretty straightforward, once you’ve got this installed you should be able to view the default root page from a web browser, if not check out the Apache docs :( (Apache should install without a hitch though)
 
Next copy over the files mod_authz_svn.so and mod_dav_svn.so from the bin folder of SVN into Apache’s module folder. And while were copying files we might as well copy the mod_auth_sspi.so file there as well.
 
Now lets go ahead and install subversion. This should be pretty straightforward as well. Once you’ve downloaded it just make sure to add the bin folder to the path. After you’ve done this create your initial repository using something like this
 
    svndmin create c:/some/path/your/want/to/use
 
Now open up the httpd.conf file and add these lines into the modules section
 
    LoadModule dav_module modules/mod_dav.so
    LoadModule dav_svn_module modules/mod_dav_svn.so
    LoadModule sspi_auth_module modules/mod_auth_sspi.so
    LoadModule authz_svn_module modules/mod_authz_svn.so
 
Also at the bottom somewhere add this line
 
    Include c:/some/path/to/your/repository/subversion.conf
 
Don’t worry that file doesn’t exist yet but we’ll get to that right now!
 
So in your repository path (the one we created just a bit ago) go ahead and create a text file called subversion.conf. Edit the file and add something like this.
 
<Location /some/url/for/apache/to/use/>        #make sure to add the last ‘/’ in the url
    DAV svn
    SVNParentPath c:/svn/project/path
    SVNListParentPath on  #this just allows you to view the contents from a web browser
    AuthName “put whatever you want here”
    AuthType SSPI
    SSPIOmitDomain on #allows you to not supply your domain with your user name every time
    SSPIAuthoritative On
    SSPIDomain yourDomainThatYouLogInto.com
    SSPIOfferBasic On
    Require valid-user
    AuthZSVNAccessFile “c:/the/path/to/your/repository/svnaccess.conf”
</Location>
 
You can also add support to authenticate against multiple domains, or one domain and username/password pairs in a text file etc. All you need to do is just add those after one another in the Location tag.
 
And finally edit the svnaccess.conf file for the repository we created earlier. Here is a sampler
 
[groups]
svnadmins = DOMAIN\joe.williams, Joe.Williams, joe.williams
developers = DOMAIN\bob.williams, Bob.Williams, bob.williams
 
 
[/]
@svnadmins = rw
[yourSVNProjectName:/]
@svnadmins = rw
@developers = r
[yourSVNProjectName:/trunk]
@developers = rw
 
You’ll notice we have three entries for each user. This is because different apps may use one of the three variations so to avoid some headaches just add all three for each user. You only have to do it once anyway.
 
So that’s pretty much the quick run-through for setting it up.. Below is a list of links that I found useful when setting this up :) enjoy
 
 
 

No comments: