Sublime Subversion
We’re a bit behind releasing 1.2. We had hoped to release in July and we may still, but if we don’t make it before the end of this week we’ll definitely have it ready to go by August 6th. In the meantime, here’s another preview into the new features in 1.2.
Those of you using LDAP / Active Directory for authentication will be pleased to know that with 1.2 it will be possible to use AD groups for permission management. This is accomplished by creating an “LDAP Group” and entering the name of the group in your LDAP directory. For example, if you wanted to add “Domain Users”, you would simply create a new LDAP group in Sublime named “Domain Users”. The group membership will be automatically populated based on the users in the Domain Users active directory group. Sublime will then keep this membership up to date automatically. So whenever you add new users to the group in active directory, those additions will be automatically picked up by Sublime.
Sublime is also smart enough to only give access to users who you want using Sublime in the first place. For example, if you have configured Sublime to exclude all users except those in a given OU, Sublime will respect those rules when pulling in users from your AD groups. So even if a user exists in that group, if they aren’t in the OU you specified they won’t be granted access to Sublime or Subversion.
That’s it for this post. Next time we’ll talk about the new user dashboard and user RSS feeds – promise!
This is the first post in a series on what’s new in Sublime 1.2. Version 1.2 will be released next month but we’re so excited about the new features that we wanted to get the word out now.
First up: Path-based permissions.
This feature has been requested for some time and is finally making its way into Sublime. In 1.2 a repository owner will be able define unique permissions at different paths within a repository. A common scenario may be to allow all developers read/write access to the trunk, but then lock down the branches or tags folders to lead developers or release managers.
Below, we can see the updated Permission Management interface in Sublime 1.2. On the left we see the repository structure and the red icon overlay indicates that a folder has unique permissions applied. Clicking on that folder we can see, and then manage permissions for that level in the repository.
Assigning path-based permissions in Sublime
If you make a mistake and would like to remove all unique permissions you can simply click the “Remove these permissions” link in the highlighted area to the right.
Well that’s it for this update. For our next Sublime 1.2 Preview article we will discuss the new personalized Dashboard.
I am happy to announce the release of version 0.6.0 of Sublime. This release marks the first version of Sublime to support Active Directory authentication. Servers configured with Apache to support AD or LDAP authentication can now use Sublime to manage permissions, create repositories, schedule automated backups, and all of Sublime’s core features. For more details, please see the section of the . It is also recommended to review the to ensure your Apache configuration will be compatible with Sublime.
Go ahead and grab version 0.6.0 from the .
Users upgrading from 0.5.x should read the before installing.
New Features:
- Sublime now supports Active Directory / LDAP authentication in both the Sublime web interface, and repository permissions. Servers must have Apache installed and configured for AD auth to use this new functionality. Additional details are available at http://sublimesvn.com/documentation/administrator-guide/configuring-sublime-with-apache.html
- Repository detail page displays a command for checking out a repository. This command along with the repository URL can be copied to the clipboard.
- Better support for Subversion packages other than SlikSVN and Tigris.org releases.
Bug Fixes:
- Changing password now requires user to enter their current password in addition to a new password.
- Fixed issues with Installer on Vista not adding accounts to the correct security groups.
- Installer now installs Subversion to the correct Program Files folder on 64 bit systems.
- Installer enables ASP.NET 2.0 in IIS if it is not already enabled
- Backup page no longer pre-populates backup account password for new servers
We are creeping up on the release of version 0.6 of Sublime. Version 0.6 will be the first version to support Apache-based Active Directory / LDAP authentication. This version will work seamlessly with the install which includes Apache and all of the required modules. We’re in final bugfix and testing mode right now and I expect to have a release posted to the website by mid-next week.
We are still working on Active Directory authentication which doesn’t require Apache – but this is a bit further out. It may make it into Version 1.0 of the product, but probably won’t be available before then.
The next release of Sublime will include support for Active Directory authentication using Apache. This will be an optional feature for companies who may have an existing Subversion installations configured with AD/LDAP Authentication using Apache. The Sublime web interface will also use AD Authentication in this configuration allowing users to log in with their standard windows account rather than a separate subversion username and password.
Active Directory authentication is an important feature for Microsoft-based environments. This is the first step toward providing robust AD support throughout Sublime.
Subversion with AD Auth is the holy-grail for main Microsoft-based organizations. However, the setup can be a bit tricky and there aren’t a lot of good walk-throughs out there. This post guides you through the process of installing Subversion and configuring AD authentication on a Windows 2003 server.
This post is NOT specific to – it applies to any Subversion installation using Apache.
Getting Ready
Before we start, you’ll need to make sure you have all required software installed. You will need Subversion 1.5 or greater and Apache installed. I recommend downloading the package for windows. Not only does it include all prerequisites for this walk-through, but the installer sets up Apache to run as a windows service for you.
Configuring Apache
Once you have Subversion and Apahce installed, you’ll need to configure Apache to work with Subversion. However, the first step is to ensure Apache will start on its own with no configuration changes.
- Open your Services management console
- Locate the Apache service (Apache2.2 for example)
- Start the service. If there is a problem, you will get a warning or error message.
One common error on a new installation is when Apache conflicts with IIS. If you see an error message about no listening sockets available, that probably means that IIS is already running a website on the default port 80. You can either change Apache to run on a different port (by editing the httpd.conf file), or stop the default website in IIS.
Once you have Apache running on its own, it’s time to configure Subversion.
- Open the httpd.conf file (mine is located at C:\Program Files\CollabNet Subversion Server\httpd\conf\httpd.conf).
- Locate the Dynamic Shared Object (DSO) Support section. This should have a bunch of lines that begin with “LoadModule …”
- At the bottom of the existing LoadModule lines, add the following three lines:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_svn_module modules/mod_authz_svn.so
- Next locate the <Location> tag for the path where your repositories will be accessible from. By default with the Collabnet install this will be /svn. In that case you would look for <Location /svn>. If you configured a different path, just substitute /svn for the path you configured. It should look something like this:
<Location /svn>
DAV svn
SVNParentPath C:/svn_repository
</Location>The SVNParentPath should be the full path to the directory where you will store your repositories. In this case, all repositories will be located at C:\svn_repository\<my_repo>.
- Add the following settings to this Location tag:
SVNListParentPath On
Set this to On if you are hosting multiple repositories and want Apache to display a list of repositories.AuthzSVNAccessFile C:/svn_repository/access.txt
This is the full path to the file which will control access (we’ll create that next)AuthzLDAPAuthoritative off
If on, this prevents another auth provider from handling authentication if ldap authentication fails.AuthType Basic
Specifies basic auth. You can change this to Digest or a different auth type if you like.AuthBasicProvider ldap
Specifies that the LDAP provider will be used for authentication.AuthName "your.domain"
This specifies the realm for authentication. For simplicity, just set this to the fully qualified name of your domain.AuthLDAPBindDN "CN=SomeAccount,CN=Users,DC=your,DC=domain"
This needs to be the fully qualified account name of an account that has read access to your domain.AuthLDAPBindPassword "password"
This should be the password for the account specified in AuthLDAPBindDN.AuthLDAPURL "ldap://your.domain/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"
This will be used to locate users in your domain. Everything to the left of the first question mark should be the ldap path where your users are located. To the right of the first question mark is the user property that will be used as the username. Typically you will use “sAMAccountName”, but if you wanted to have users use their email address as their username, you could use “mail” instead. Leave the rest of the path unchanged.Require valid-user
Specifies that a valid user account is required. - Once you are done, the entire <Location / svn> section should look like this:
<Location /svn>
DAV svn
SVNParentPath C:/svn_repository
SVNListParentPath On
AuthzSVNAccessFile C:/svn_repository/access.txt
AuthzLDAPAuthoritative off
AuthType Basic
AuthBasicProvider ldap
AuthName "your.domain"
AuthLDAPBindDN "CN=account,CN=Users,DC=your,DC=domain"
AuthLDAPBindPassword "password"
AuthLDAPURL "ldap://your.domain/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"
Require valid-user
</Location>
- Next, restart the Apache service in your Services management console. If you get an error, check the event log and double check the settings above. If you don’t receive any errors, move on to the next section.
Setting up Access
The final step is to set up access for your repositories. Create a new file called “access.txt” where your repositories are located. This file should be at the same path you specified for the AuthzSVNAccessFile setting in the httpd.conf file. It doesn’t have to be where your repositories are located, it can be anywhere.
For each repository, create an entry like the following:
[myrepo:/]
user1 = rw
user2 = rw
user3 = r
I won’t go into the format of this file because you can find . However, the important thing to understand is that the username you use will be based on property specified in the AuthLDAPURL setting in your httpd.conf. For example, if you specified sAMAccountName, you will enter the account name (without the domain portion). If you specified mail, you would enter the email address.
Save the access.txt file.
That’s it. You can now try checking out a repository by running the following command:
svn co http://localhost/svn/myrepo
