DGhost's Blog

A sysadmin thoughts about the Internet and technologies…

Setting up a Subversion server on linux with SASL authentication against a LDAP Active Directory database

| 19 Comments

This text has been created for my personnal references. I have spent a lot of time on this and now that I was able to make it work I will document the steps that I have done.  I am assuming that if you follow the steps in this document, you have a pretty good understanding of the basic of Linux.  This is not a “how to” for Linux itself but for configuring Subversion with SASL and LDAP against an Active Directory server.

Some useless background on why I want to do this :

The company I work for is running more than 60 servers (all VM servers) of Subversion, all running on Linux with Apache2 and the authentication is done with the mod_ldap for Apache2 against our Active Directory Server.  The server that host that user’s accounts is a Windows Server 2008 with Active Directory.  So all the accounts are store in a MS LDAP DB, not an OpenLDAP!  It’s a Microsoft server after all, so it’s not the standard LDAP protocol, but the Microsoft LDAP protocol.  This kind of setup is called a Subversion over HTTP (or STUB).  I won’t go into the details of that setup because it is already well documented on the Internet.

This setup has been good for us since the last 3 years, but we are now having a lot of problems where the Apache2 service will crash when too many users are using the SVN server at the same time (we have more than 100 users accessing our SVN servers everyday).  When Apache2 crash/freeze, we are not able to kill and restart the service live, we must reboot the server by doing a cold reboot since the server is waiting after the apache2 process to shutdown before rebooting.  Very annoying!  So I want to use a system for authentication that won’t crash when there is a lot of users.  I need something more… lighter.  But I want to keep our authentication to be done against our Active Directory server because we don’t want to manage a new database of all the accounts just for SVN.  I have to drop the Apache2 part.  Here come SASL.  There is many authentication mechanism  available for SASL and one of them is… LDAP!  Now we are talking.  With this new setup our current SVN protocol will change from http://svnserver to : svn://svnserver  No big deal.  We will lose the option of browsing with a browser (IE, firefox, etc.) in our repository.  Like I care!

So after many research on the Internet I had a lot of trouble to understand if that kind of setup is feasible or not.  Lot of people are saying no, but I guess that’s because of the old version of subversion server (I.E. previous version of 1.6.5).  A lot of people said that they where able to make it work but after following some vague instructions it never worked for me.
After a couple of days of tests and tries, I was able to make it work.

On to the setup itself!

You’ll need a Linux server up and running, I used CentOS 5.5 32 bits.  I installed Subversion server version 1.6.13.  This setup will send the user’s info (login/password) as plain text over the network (that’s because of the LDAP call to the AD server itself).  I read that Subversion will not let authentication go through with clear text before version 1.6.5.  I have not tested it with this specific version.  Only with 1.6.13.  If you want a more secure way of sending the user’s account info on a network (like the Internet), then I suggest you use svn+ssh for the protocol – not documented here!

Everything on the CentOS server has been installed using yum.  Make sure that all these packages are installed, if any of them are missing, it won’t work!

subversion – I used version 1.6.13
db4-utils – I am not sure yet if I need this or not!
cyrus-sasl – The SASL authentication system
cyrus-sasl-ldap – LDAP plugin for SASL
cyrus-sasl-plain – for PLAIN login with SASL

If you want to get the latest version of Subversion you’ll have to use a yum repository that contains it.  By default the Subversion package that ship with CentOS is an old version, 1.4.  Follow the steps in this link to connect your CentOS installation to the RPMForge repository to have the latest version :

http://wiki.centos.org/AdditionalResources/Repositories/RPMForge?action=show&redirect=Repositories%2FRPMForge

After you have connected to the RPMForge repository, let’s install all of that in one shot!  Run the following command :

# yum -y install subversion cyrus-sasl cyrus-sasl-ldap cyrus-sasl-plain db4-utils

There will be other packages that will be installed with these for dependencies, just go ahead and install all of it.  Once these steps have been done, you can check the Subversion version by running the following command, it will give you the version installed and also if it’s installed or not!

# yum info subversion

Output will be :

Installed Packages
Name       : subversion
Arch       : i386
Version    : 1.6.13
Release    : 0.1.el5.rf
Size       : 20 M
Repo       : installed
Summary    : Modern Version Control System designed to replace CVS
URL        : http://subversion.tigris.org/
License    : BSD
Description: Subversion is a concurrent version control system which enables one
: or more users to collaborate in developing and maintaining a
: hierarchy of files and directories while keeping a history of all
: changes.  Subversion only stores the differences between versions,
: instead of every complete file.  Subversion is intended to be a
: compelling replacement for CVS.

Or you can also use this command to check the version :

# svnserve --version
svnserve, version 1.6.13 (r1002816)
compiled Oct  2 2010, 21:05:06

Copyright (C) 2000-2009 CollabNet.
Subversion is open source software, see http://subversion.tigris.org/
This product includes software developed by CollabNet (http://www.Collab.Net/).

The following repository back-end (FS) modules are available:

* fs_base : Module for working with a Berkeley DB repository.
* fs_fs : Module for working with a plain file (FSFS) repository.

Cyrus SASL authentication is available.

Now let’s create a repository for your Subversion server with this command :

# svnadmin create /path_to_repo/svn

Now on to the configurations of all these text files!  First let’s tell the Subversion service to use SASL as the authentication mechanism.  Configure the following file /path_to-repo/svn/conf/svnserve.conf  You’ll need to change some lines in it (and make sure to remove the comments – #) which are :

# Disable anonymous access to the repo
anon-access = none
# Force auth for write access
auth-access = write
# For fine tuning your access to the repository
authz-db = authz
# Tell Subversion to use SASL for the authentication mechanism
use-sasl = true
# Make sure that there is no encryption for the authentication mechanism
min-encryption = 0

That’s it for this one, make the changes and save it.  Don’t forget to configure your authz file properly for the access also.

Now let’s configure the option of SASL for the Subversion service specifically.  This file is a kind of mysteries for a lot of people because it’s name and location are not the same depending of which kind of distro of linux you are using.  I think it’s the hardest part to figure out where it’s going and what it’s name.  On CentOS I created the text file under /etc/sasl2 and I named it svn.conf.  The file contains the following configuration :

###################################################################
# For CentOS /etc/sasl2/svn.conf
# For other distro it could be /usr/lib/sasl2/svn.conf
# For other distro filename could also be subversion.conf
#
# Password method, use the sasl authentication deamon.
pwcheck_method: saslauthd
#
## Auxiliary plugin, use ldap
auxprop_plugin: ldap
#
## Mechanism list, plain text only
mech_list: PLAIN
ldapdb_mech: PLAIN
# EOF
###################################################################

Now let’s configure the options for LDAP for SASL itself!  Create a text file here :

# touch /etc/saslauthd.conf

Put the following config in it, make sure that you change the adress of the ldap server to reflect your server with the proper username and password for binding to the AD itself.  There is also the config for the ldap_default_domain to change.

###################################################################
#/etc/saslauthd.conf
#
# Your AD server address
ldap_servers: ldap://server.domain.local
#
# You can specify the default domain name!
ldap_default_domain: domain.local
#
# Where are the users located in the AD?  If you haven't change the
# default tree of your AD it should be under the Users OU.
ldap_search_base: CN=users,DC=domain,DC=local
#
# You need a user account to be able to make the authentication in the
# Active Directory, I suggest you create a user just for that!
ldap_bind_dn: user@domain.local
#
# Of course there is a password associated with this user, put it here :
ldap_bind_pw: user_password
#
# Misc options for LDAP to make it work with Microsoft AD. 
# Nothing to change here, move along...
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind
ldap_filter: sAMAccountName=%u
ldap_password_attr: userPassword
ldap_timeout: 10
ldap_cache_ttl: 30
ldap_cache_mem: 32768
#EOF
#########################################################################

Next, let’s also configure SASL to use LDAP only for the mechanism, configure the existing file located here (if the file is not there, then SASL is not installed on your server) : /etc/sysconfig/saslauthd. For other distro, this file may be located under /etc/default/saslauthd. Only one line to change and it’s :

MECHANISMS="ldap"

Let’s test it, start the SASL service on the server with :

# /etc/init.d/saslauthd start

# testsaslauthd -u 'a user in the AD tree' -p 'the password for that user'"

If that part is working, you should get the following message :

0: OK "Success."

If not, then you have a problem!  make sure that the SASL service is running and reading the /etc/saslauthd.conf file. The log file of SASL itself are located in /var/log/messages
You can do a # tail -f /var/log/messages in another session to see live what is going on with SASL.

Now start SVN with the following command :

# svnserve -d --config-file /path_to-repo/conf/svnserve.conf --root /path_to-repo --log-file /var/log/svn.log

This command tell the Subversion service to start as a deamon (-d) using this specific config file (–config-file the one you edited earlier), using the repo (–root) located where you created your repo and for sake we want a log (–log-file) to see what is going on with SVN.  I just love log file!

Now if everything is good, you should be able to access your repo using the svn://servername protocol to access the repo.  You will then be prompted with a username and password.
Take a user’s account from the AD and try it!  If you have a firewall enabled on your linux server make sure to put an exception for the SVN protocol which is using the TCP port of 3690 or disable your firewall if necessary.

Now wait a minute, SASL and the Subversion service won’t start automatically when the server boot.  Let’s configure that also.  For SASL the script already exist, we just need to enable it to autostart, under CentOS/Redhat run the 2 following commands, for other distro of Linux it may be different.

# chkconfig --add saslauthd

# chkconfig --level 345 saslauthd on

For Subversion the scripts doesn’t exist, so we’ll need to create it, modify it and then enable it.  I found this script on this blog that does that :

http://blog.webramz.com/tag/subversion-autostart/

Create the empty file for the script with this command : # touch /etc/rc.d/init.d/subversion

Just follow the instructions in the blog, copy and paste the Subversion script and you’ll only need to change one line it which is the OPTIONS=  My configuration for that line is this :
OPTIONS="--config-file /path_to-repo/svn/conf/svnserve.conf --root /path_to-repo/svn --log-file /var/log/svn.log"
Notice that the -d for the daemon option is just below in the script, so no need to put it on the OPTIONS line.  Once the script has been created, let’s activate it for the autostart : # chkconfig --add subversion.

Let’s put the proper permission on it : # chmod 0750 /etc/init.d/subversion

And then activate it!

# chkconfig –-level 345 subversion on

That’s it!

Update : If you are managing multiple repositories, I would strongly suggest that you take a look at my new post : Centralizing and simplifying your SVN administration

Author: DGhost

System Administrator and consultant for more than 14 years. I've always used computers since I was a kid. I' ve specialized in networking, servers and the inner workings of the Internet. My blog is aimed as a personnel point of view on some technologies, the web, sciences and the Internet in general. If you are wondering why this website is in French and English, that's because I'm a french Canadian who also speaks English and sometimes, when I'm drunk, dabble in Spanish. Consultant et administrateur de système informatisé depuis plus de 14 ans, DGhost est plongé dans l’informatique depuis son plus jeune âge. Spécialiste des réseaux et serveurs, le fonctionnement de l’Internet n’a plus de secret pour lui. Son blog se veut une réflexion sur le web, l'informatique, les sciences et la technologie.

19 Comments

Leave a Reply

Required fields are marked *.



 

This site uses Akismet to reduce spam. Learn how your comment data is processed.