Ubuntu 11.04 – How to Configure an LDAP Server for Subversion and Trac

kerberosldapsvntracUbuntu

I have an Ubuntu server 11.04 on ec2 (I'm mentioning this, as it appears things have changed in this version from previous ubuntu releases, when it regards LDAP configuration).

I want to configure it as a subversion server with trac, for private repositories (i.e. a user must have a username:password and privileges to view or commit to svn, and to view or make changes in trac).

Since I wanted to make sure it is secure, I first chose an option of svn+ssh, meaning I have to create a linux user for each person that needs access to svn. But I couldn't find a way to use the same users for trac – meaning I will have to create manually a user in trac for each user I create in the linux machine, and this could lead to different password between svn and trac – in short: a mess.

So I decided to go and implement an openldap server, which will give the option to use ldap users for other features in the future.

The only guide I found which worked in configuring the openldap part, was this one ("The Guide").

However, when I got to the kerberos part – I got some questions I didn't know how to answer them, and then I got errors, so no kerberos.

Some notes:

The server will eventually be something like svn.myserver.com. However, there's no dns record for it yet.
Taking the previous note in consideration, I used the svn.myserver.com name when configuring openldap as said in the guide above (I did not do the first two parts of the guide, so I had to run the sudo dpkg-reconfigure slapd command to reconfigure, and used dc=svn,dc=myserver,dc=com everywhere instead of dc=danbishop,dc=org or svn.myserver.com instead of danbishop.org).
In the kerberos part of the guide, when running the sudo apt-get install krb5-kdc krb5-admin-server command, I was asked the following:
- The realm – I wrote SVN.MYSERVER.COM
- Something about servers – I wrote localhost
- Something about administrator server – I wrote localhost
When the questions were over, and it continued to configure kerberos, there were some File or directory not found errors, and a an error has occured, see log kind of message. However, I did not find any log file.

There might be a better way to do it, and there might be another solution to get what I want (unified user management for both svn, trac and such other future apps), but since the svn and bug tracking features are suppose to survive a long time, and not pose any difficulties, it is important for me to choose the right solution, and configure it the right way (There is more than one right way, I'm sure, but I don't want to choose a lousy way).

I would really appreciate help with this, as I've been messing around with this for a few days now, feeling like I'm wasting time.

Best Answer

One hint for Kerberos: You have to get your DNS right before you configure Kerberos or you can run into all sorts of trouble. So, create the relevant DNS entries first and don't continue before this is done.

That said, I don't really think that Kerberos is necessary in your case. It's still a notoriously complicated thing to get working right and I don't think the result will be worth the trouble. Primarily, it's useful for providing a single-sign-on solution, so if you get it right, you log into your (system) user account and 'magically' all kerberized services will work without a login.

So, if you configure your system to authenticate against LDAP via PAM and do the same for Trac, you should be fine.

Related Solutions

Linux – Trac + SVN: Why post commit hook doesn’t work

I assume the problem is permission-related. Make sure both the post-commit script and the rac-post-commit-hook have the proper privileges. If it works for you using the command line, try to do it as the user that is running the svn daemon (sudo -u svnuser [cmd]).

I could fix a similar problem a year or so ago by adding "chmod o+x" both of the scripts.

Ubuntu – Configure SVN Server and Trac on Ubuntu

i currently run multiple trac environments with various different trac versions, including multirepos branch. 0.11 tracs obviously have a single svn repo, while a couple of my multirepos envs have >1 repos attached.

svn is served through apache mod_dav_svn (not svnserve) and i'm using apache authnz_ldap for authentication to everything.

https://server/project/name is my trac project tree https://server/svn/name is my svn repo tree

authentication configuration is very similar for both:

apache-trac.conf:

<LocationMatch /project[^/]*>
        AuthType        Basic
        AuthName        "Security"

        <IfModule authnz_ldap_module>
                AuthBasicProvider ldap
                AuthLDAPURL     ldap://server:389/ou=Users,ou=OxObjects,dc=server,dc=domain.net?uid
                AuthLDAPGroupAttribute memberUid
                AuthLDAPGroupAttributeIsDN off
        </IfModule>
</LocationMatch>

# For accessing project list

<Location /project>
       Deny from all
       Allow from 127.0.0.1 192.168.1. 10.24.0.

       Require ldap-group      cn=group, ou=Groups,ou=OxObjects,dc=server,dc=domain.net
</Location>

# Individual project access

<Location /project/foo1>
        Allow from 10.24.0. 192.168.1. 127.0.0.1 somerandomhost.com

        Require ldap-group      cn=visitor, ou=Groups,ou=OxObjects,dc=server,dc=domain.net
        Require user    "andy"
        Require user    "richard"
        Require user    "sam"
        Require user    "bar"
</Location>

apache-svn.conf:

<IfDefine DAV>
<IfDefine SVN>
    <IfModule !mod_dav_svn.c>
            LoadModule dav_svn_module       modules/mod_dav_svn.so
    </IfModule>

    <LocationMatch /svn[^/]*>
            AuthType        Basic
            AuthName        "Security"

            <IfModule authnz_ldap_module>
                    AuthBasicProvider ldap
                    AuthLDAPURL     ldap://server:389/ou=Users,ou=OxObjects,dc=server,dc=domain.net?uid
                    AuthLDAPGroupAttribute memberUid
                    AuthLDAPGroupAttributeIsDN off
            </IfModule>
    </LocationMatch>

    <Location /svn>
            DAV svn
            SVNParentPath /secure/svn
            require         user "sam"
            require         user "richard"

            Order deny,allow
            Deny from all
            Allow from 192.168.1. 10.24.0. 127.0.0.1

            Require ldap-group      cn=group, ou=Groups,ou=OxObjects,dc=server,dc=domain.net

            Satisfy All
    </Location>

    <IfDefine SVN_AUTHZ>
            <IfModule !mod_authz_svn.c>
                    LoadModule authz_svn_module     modules/mod_authz_svn.so
            </IfModule>
    </IfDefine>
</IfDefine>
</IfDefine>

this configuration could probably be consolidated with regexps, havent gotten around to it.

Some notes:

Best Answer

Related Solutions

Linux – Trac + SVN: Why post commit hook doesn’t work

Ubuntu – Configure SVN Server and Trac on Ubuntu

Related Topic