I'm trying to replace htaccess passwords with LDAP for a SVN deployment. I have 2 apache virtual hosts that point to the same SVN repository using different hostnames. The https://svn.dev.example.com works properly, upon authenticating I see the SVN repository tree. https://svn.test.example.com successfully authenticates via LDAP, however I get a filesystem directory listing with "Collection of Repositories" above it.
I've never used SVN before, but am trying to migrate a legacy repository onto a new server and did as much research as I could, but it appears to me that the root location loads before LDAP completes authentication (By observing debug logs).
I'm not entirely sure how to fix this, I've tinkered abit with redirects to no avail. I'd prefer to use the / of the URL as we only have 1 repo if at all possible. Below are my full configurations for my lab (sanitized).:
The following virtual host as expected using htaccess/svnaccess for credentials and authorization:
[root@svntest conf.d]# cat svn.dev.example.com.conf
<VirtualHost *:80>
ServerName svn.dev.example.com
ServerAdmin webmaster@localhost
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:443>
ServerName svn.dev.example.com
ServerAdmin webmaster@localhost
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/svn.dev.example.com.pem
SSLCertificateKeyFile /etc/pki/tls/private/svn.dev.example.com.key
<Location />
AuthType Basic
AuthName "test Subversion Repository"
AuthUserFile "/etc/httpd/conf.d/svnpass"
AuthBasicProvider file
Require valid-user
DAV svn
SVNPath "/srv/svn"
SVNReposName "test Subversion Repository"
SVNPathAuthz short_circuit
AuthzSVNAccessFile "/etc/httpd/conf.d/svnaccess"
<IfModule deflate_module>
SetOutputFilter DEFLATE
</IfModule>
<LimitExcept GET PROPFIND OPTIONS REPORT>
SSLRequireSSL
AuthType Basic
AuthName "Authorization Realm"
AuthUserFile "/etc/httpd/conf.d/svnpass"
Require valid-user
</LimitExcept>
</Location>
</VirtualHost>
I created 2 files to support LDAP configuration in addition to the virtual host file:
ldap.confwhere I useAuthnProviderAlias&AuthzProviderAliasto configure LDAP (There will be multiple<Location>tags in the final configuration and gives me one spot to manage LDAP DN's).svn-ldap-groups.confcontains Macros that will associate RO/RW permissions with groups in a single place and permit me to reference those "policies" multiple times.
[root@lab conf.d]# cat ldap.conf
<AuthnProviderAlias ldap example-ad>
AuthLDAPURL "ldaps://ad.win.example.com/dc=win,dc=example,dc=com?sAMAccountName?sub?(&(objectClass=user)(!(objectClass=computer)))"
AuthLDAPBindDN "CN=svnpass,OU=users,OU=example,DC=win,DC=example,DC=com"
AuthLDAPBindPassword "svnpassword"
AuthLDAPGroupAttributeIsDN on
</AuthnProviderAlias>
<AuthzProviderAlias ldap-group group1 "CN=Dev group 1,OU=groups,OU=example,DC=win,DC=example,DC=com">
AuthLDAPURL "ldaps://ad.win.example.com/dc=win,dc=example,dc=com?sAMAccountName?sub?(&(objectClass=user)(!(objectClass=computer)))"
AuthLDAPBindDN "CN=svnpass,OU=users,OU=example,DC=win,DC=example,DC=com"
AuthLDAPBindPassword "svnpassword"
AuthLDAPMaxSubGroupDepth 0
AuthLDAPSubGroupAttribute member
AuthLDAPSubGroupClass group
</AuthzProviderAlias>
<AuthzProviderAlias ldap-group group2 "cn=Dev group 2,groups,ou=example,dc=win,dc=example,dc=com">
AuthLDAPURL "ldaps://ad.win.example.com/dc=win,dc=example,dc=com?sAMAccountName?sub?(&(objectClass=user)(!(objectClass=computer)))"
AuthLDAPBindDN "CN=svnpass,OU=users,OU=example,DC=win,DC=example,DC=com"
AuthLDAPBindPassword "svnpassword"
AuthLDAPMaxSubGroupDepth 0
AuthLDAPSubGroupAttribute member
AuthLDAPSubGroupClass group
</AuthzProviderAlias>
<AuthzProviderAlias ldap-group group3 "cn=Dev group 3,groups,ou=example,dc=win,dc=example,dc=com">
AuthLDAPURL "ldaps://ad.win.example.com/dc=win,dc=example,dc=com?sAMAccountName?sub?(&(objectClass=user)(!(objectClass=computer)))"
AuthLDAPBindDN "CN=svnpass,OU=users,OU=example,DC=win,DC=example,DC=com"
AuthLDAPBindPassword "svnpassword"
AuthLDAPMaxSubGroupDepth 0
AuthLDAPSubGroupAttribute member
AuthLDAPSubGroupClass group
</AuthzProviderAlias>
[root@lab conf.d]# cat svn-ldap-groups.conf
<Macro SVNDefault>
<RequireAll>
Require valid-user
<Limit HEAD GET OPTIONS PROPFIND REPORT>
<RequireAny>
# Read access
Require group1
Require group2
</RequireAny>
</Limit>
<LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
<RequireAny>
# Write access
Require group3
</RequireAny>
</LimitExcept>
</RequireAll>
</Macro>
<Macro SVNTestRW>
<RequireAll>
Require valid-user
<Limit HEAD GET OPTIONS PROPFIND REPORT>
<RequireAny>
# Read access
Require group1
</RequireAny>
</Limit>
<LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
<RequireAny>
# Write access
Require group2
Require group3
</RequireAny>
</LimitExcept>
</RequireAll>
</Macro>
[root@lab conf.d]# cat svn.test.example.com.conf
<VirtualHost *:80>
ServerName svn.test.example.com
ServerAdmin webmaster@localhost
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:443>
ServerName svn.test.example.com
ServerAdmin webmaster@localhost
SSLCertificateFile /etc/pki/tls/certs/svn.test.example.com.pem
SSLCertificateKeyFile /etc/pki/tls/private/svn.test.example.com.key
LogLevel debug
CustomLog logs/svn common
<Location />
DAV svn
SVNParentPath "/srv/svn"
SVNReposName "example Subversion Repository"
SVNListParentPath On
SVNPathAuthz short_circuit
AuthType Basic
AuthName "SVN"
AuthBasicProvider example-ad
# LDAP Group Policy
Use SVNDefault
</Location>
</VirtualHost>
Any help on this would be greatly appreciated.
