Subversion with AD Auth is the holy-grail for main Microsoft-based organizations. However, the setup can be a bit tricky and there aren’t a lot of good walk-throughs out there. This post guides you through the process of installing Subversion and configuring AD authentication on a Windows 2003 server.
This post is NOT specific to – it applies to any Subversion installation using Apache.
Getting Ready
Before we start, you’ll need to make sure you have all required software installed. You will need Subversion 1.5 or greater and Apache installed. I recommend downloading the package for windows. Not only does it include all prerequisites for this walk-through, but the installer sets up Apache to run as a windows service for you.
Configuring Apache
Once you have Subversion and Apahce installed, you’ll need to configure Apache to work with Subversion. However, the first step is to ensure Apache will start on its own with no configuration changes.
- Open your Services management console
- Locate the Apache service (Apache2.2 for example)
- Start the service. If there is a problem, you will get a warning or error message.
One common error on a new installation is when Apache conflicts with IIS. If you see an error message about no listening sockets available, that probably means that IIS is already running a website on the default port 80. You can either change Apache to run on a different port (by editing the httpd.conf file), or stop the default website in IIS.
Once you have Apache running on its own, it’s time to configure Subversion.
- Open the httpd.conf file (mine is located at C:\Program Files\CollabNet Subversion Server\httpd\conf\httpd.conf).
- Locate the Dynamic Shared Object (DSO) Support section. This should have a bunch of lines that begin with “LoadModule …”
- At the bottom of the existing LoadModule lines, add the following three lines:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_svn_module modules/mod_authz_svn.so
- Next locate the <Location> tag for the path where your repositories will be accessible from. By default with the Collabnet install this will be /svn. In that case you would look for <Location /svn>. If you configured a different path, just substitute /svn for the path you configured. It should look something like this:
<Location /svn>
DAV svn
SVNParentPath C:/svn_repository
</Location>The SVNParentPath should be the full path to the directory where you will store your repositories. In this case, all repositories will be located at C:\svn_repository\<my_repo>.
- Add the following settings to this Location tag:
SVNListParentPath On
Set this to On if you are hosting multiple repositories and want Apache to display a list of repositories.AuthzSVNAccessFile C:/svn_repository/access.txt
This is the full path to the file which will control access (we’ll create that next)AuthzLDAPAuthoritative off
If on, this prevents another auth provider from handling authentication if ldap authentication fails.AuthType Basic
Specifies basic auth. You can change this to Digest or a different auth type if you like.AuthBasicProvider ldap
Specifies that the LDAP provider will be used for authentication.AuthName "your.domain"
This specifies the realm for authentication. For simplicity, just set this to the fully qualified name of your domain.AuthLDAPBindDN "CN=SomeAccount,CN=Users,DC=your,DC=domain"
This needs to be the fully qualified account name of an account that has read access to your domain.AuthLDAPBindPassword "password"
This should be the password for the account specified in AuthLDAPBindDN.AuthLDAPURL "ldap://your.domain/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"
This will be used to locate users in your domain. Everything to the left of the first question mark should be the ldap path where your users are located. To the right of the first question mark is the user property that will be used as the username. Typically you will use “sAMAccountName”, but if you wanted to have users use their email address as their username, you could use “mail” instead. Leave the rest of the path unchanged.Require valid-user
Specifies that a valid user account is required. - Once you are done, the entire <Location / svn> section should look like this:
<Location /svn>
DAV svn
SVNParentPath C:/svn_repository
SVNListParentPath On
AuthzSVNAccessFile C:/svn_repository/access.txt
AuthzLDAPAuthoritative off
AuthType Basic
AuthBasicProvider ldap
AuthName "your.domain"
AuthLDAPBindDN "CN=account,CN=Users,DC=your,DC=domain"
AuthLDAPBindPassword "password"
AuthLDAPURL "ldap://your.domain/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"
Require valid-user
</Location>
- Next, restart the Apache service in your Services management console. If you get an error, check the event log and double check the settings above. If you don’t receive any errors, move on to the next section.
Setting up Access
The final step is to set up access for your repositories. Create a new file called “access.txt” where your repositories are located. This file should be at the same path you specified for the AuthzSVNAccessFile setting in the httpd.conf file. It doesn’t have to be where your repositories are located, it can be anywhere.
For each repository, create an entry like the following:
[myrepo:/]
user1 = rw
user2 = rw
user3 = r
I won’t go into the format of this file because you can find . However, the important thing to understand is that the username you use will be based on property specified in the AuthLDAPURL setting in your httpd.conf. For example, if you specified sAMAccountName, you will enter the account name (without the domain portion). If you specified mail, you would enter the email address.
Save the access.txt file.
That’s it. You can now try checking out a repository by running the following command:
svn co http://localhost/svn/myrepo
30 Comments to 'Configuring Subversion with Active Directory Authentication'
March 1, 2009
You can avoid the plaintext password and the LDAP query URL weirdness by using mod_auth_sspi from to authenticate against ActiveDirectory. The configuration with mod_auth_sspi is much shorter and easier to understand and provides some neat features like NTLM for transparent single sign-on if the client software (like Internet Explorer) supports it.
I have a straight-forward guide that covers every step from a bare Windows server install up to a fully functional Subversion server with ActiveDirectory and SSL at on my blog.
August 7, 2009
Hi, this subversion need to be installed on the DC to integrate with Active Directory?
August 7, 2009
No, it can be on any server in your network as long as that server has the ability to query your AD controller for auth data (which every server in your network should have).
August 10, 2009
Thank you Glen C
August 12, 2009
Hi, I have followed the above steps, how can i check whether its working or not, i have two apache services 1, Apache 2.2 and 2. Collabnet Subversion Apache and the Apache 2.2 service is running the other one wont work. I have followed the above steps.
September 3, 2009
Great guide! Did help me out a lot, thanks for that!
December 14, 2009
Jonathan,
Collabnet installs its own version of Apache, in an entirely different place, with it’s own config, binaries, etc and everything. To make your life simpler, remove the base apache install, which will better help you find the other files (in /etc/opt/CollabNet_Subversion/conf/)
January 19, 2010
Hello, I have a problem when I create the file access.txt, is when I be authentic with AD and non-use access.txt file, shows me the contents of my repository, but when I use the file does not show anything, is like return error values. anyone can help me with my problem? I don’t know to do!! thx for help me!!
January 22, 2010
Your information has really proven to be helpful. I really enjoy reading easy articles leading straight to the point.
Thanks allot.
June 10, 2010
SSPI is very simple, but it’s old fashioned, what we need is to be able to provide users with a seamless login through LDAP AD particularly in the form user@domain.
July 21, 2010
Can you provide guidance on how to specify Active Directory groups in access.txt and provide permissions for groups instead of users?
July 21, 2010
I don’t believe it is possible to use AD groups that way. In Sublime 1.2 we will have a method to use AD groups for authentication, but I don’t think it’s possible otherwise.
August 3, 2010
I need some help. I have followed the instruction. Only when I try to login, I have a Forbidden error message – You don’t have permission to access /svn on this server.
even if I change access.txt to
[/]
* = r
any help will be gladly appreciated. Thank you.
August 4, 2010
Rac – would you mind posting your httpd.conf – or at least the section pertaining to Subversion?
August 4, 2010
Hi glenc,
This is my httpd.conf
..
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_svn_module modules/mod_authz_svn.so
..
DAV svn
SVNParentPath C:/svn
SVNListParentPath On
AuthzSVNAccessFile C:/svn/access.txt
AuthzLDAPAuthoritative off
AuthType Basic
AuthBasicProvider ldap
AuthName “ad.lab.net”
AuthLDAPBindDN “CN=Administrator,CN=Users,DC=lab,DC=net”
AuthLDAPBindPassword “letmein123!”
AuthLDAPURL “ldap://lab.net:389/DC=lab,DC=net?sAMAccountName?sub?(objectClass=*)”
Require valid-user
C:\svn\access.txt has
[/]
Administrator = rw
It is a Windows 2008 R2 server with Active Directory installed. Firewall is off.
when I run LDP.EXE on ad.lab.net:389, I got the following:
ld=ldap_open(“ad.lab.net”,389);
Established connection to ad.lab.net.
Retrieving base DSA information…
Getting 1 entries.
so I think connecting to LDAP is ok.
Any idea what I have done wrong? Thank you.
August 5, 2010
Hi Glenc,
in the LDP.EXE, I discover when I do a bind using the integrated user, it’s fine. but when I use simple login using username and password, it does not allow a bind.
It’s a standard Windows 2008 with just the Administrator as user.
Is this correct:
AuthLDAPBindDN “CN=Administrator,CN=Users,DC=lab,DC=net”
Do I need to specify the LAB domain?
Thank you.
August 8, 2010
A little more progress…the current error is:
Can’t access C:\svn\access.txt
but why? The security is setup for Everyone. Any hint will be much apprecaited.
August 9, 2010
Check which account is running the apache service and grant access to that account explicitly. See if that helps.
August 15, 2010
Thank you glenc for your help. I have finally got it resolved. The problem was that the file was named access.txt and because the OS hide the extension, it was actually access.txt.txt
August 18, 2010
Heartfelt Thanks for this great article….
August 23, 2010
Hi Glenc
It’s working great except that any Activedirectory user can access everything. I’d like to be able to limit SVN repos by user or group.Please help me to do this.
Thanks,
Rajesh.
August 24, 2010
Hi Rajesh,
This can be done by modifying your authz access file (the AuthzSVNAccessFile property in your configuration).
Full documentation for this file can be found here:
Glen
August 27, 2010
Hi Glenc
Thanks a lot for your great support.Again i need a help
i am accessing svn repository () via apache with activedirectory authentication.so i think not required AuthzSVNAccessFile (my configuration)Now who r all in the activedirectory they can access the repository.i need activedirectory particular groups only can access.
pl don’t mind and consider this…
Thanks a lot…
Rajesh
August 30, 2010
Hi Rajesh,
You should be able to accomplish that by changing your user LDAP filter. You can require that users be in a specific group in order to be a valid user. Here’s an example:
(&(objectClass=user)(memberOf=cn=My_Group,DC=my,DC=domain,DC=local))
September 14, 2010
Hi Glenc
Thanks a lot for your Great Support.
I have completed my task successfully,(Subversion+Apache+windows Active directory Authentication)
Thanks,
Rajesh.
October 7, 2010
Hi Glenc,
I noticed that this blog is rellay helping folks!!!!
I really appreciate it.
I’m facing issues with configuring SVN with LDAP.
SVN Version: 1.6.6
Apache versio: 2.2
Using Tortoise client to access the repo.
I’ve copied the “mod_authz_svn.so” and “mod_dav_svn.so” from svn to modules dir of the apache.
Apache starts normally with out any trouble.
Below is my configuration file.
DAV svn
SVNParentPath d:/repos
SVNListParentPath On
AuthzSVNAccessFile D:/repos/access.txt
AuthzLDAPAuthoritative off
AuthType Basic
AuthBasicProvider ldap
AuthName “ou.org”
#AuthLDAPBindDN “CN=TROPHY,CN=Users,DC=vw,DC=vwg”
AuthLDAPBindDN “DOMAIN\TROPHY”
AuthLDAPBindPassword “*****”
AuthLDAPURL ldap://OU.ORG:389/CN=Users,DC=OU,DC=ORG?sAMAccountName?sub?(objectClass=Users)
Require valid-user
</LocatioN
Error:200 OK
If i replace the "/svn" from location path. I don't see above error , but was unable to authunticate to server.I notice that the login prompt pops up every time i give the credentials.
I'm using the below link to access the repo from TORTOISE SVN.
I'm badly in need of help.I'm working on this for days, yet no luck.
Please do help me.
Thx,
Reeva…
August 23, 2011
Hi Glenc,
We use SVN 2.0.8 with basic authentication and now we want to implement LDAP authentication to it.and we use IIS to access it,
my question is do i need to re-install the whole application to get the ldap authentication ??
Please help.
Rajni
December 7, 2011
Hi Glenc,
this string working but takes too much time to resolve query
(&(objectClass=user)(memberOf=cn=My_Group,DC=my,DC=domain,DC=local))
Pls help
December 7, 2011
I was using this string which was working very quickly for authentication
“ldap://10.36.53.14:389/OU=MW,OU=IT,OU=NewMedia,OU=Users,DC=local,DC=in?sAMAccountName?sub?(objectClass=*)”
***********************************************
Now i m using this string
“ldap://10.36.53.14:389/DC=local,DC=in?sAMAccountName?sub?(objectClass=user)(memberOf=CN=SVN-Access,OU=System Groups,DC=local,DC=in)”
December 24, 2011
I have configured the server, but I have an issue with the author of commits and changes.
There is no log from the author on SVN server?
Leave a comment