Friday, November 28, 2008

HowTo: CentOS 5, Apache 2.2, Subversion 1.5 with ActiveDirectory Authentication

Here's my step by step:
  1. Install CentOS 5.2
  2. Configure Network and Proxies as needed
    I usually create a login script: /etc/profile.d/login.sh as follows:
    function set_proxies() {
     local s
     PROXY_ADDR="http://proxy.example.com:8000/"
     for s in HTTP HTTPS FTP GOPHER NEWSPOST NEWSREPLY\
              NEWS NNTP SNEWSPOST SNEWSREPLY SNEWS\
              WAIS FINGER CSO; do
         export ${s}_PROXY=${PROXY_ADDR}
     done
        for s in http https ftp; do
         export ${s}_proxy=${PROXY_ADDR}
     done
    }

    set_proxies
  3. I installed from the DVD, so yum update to ensure everything is up-to-date.
  4. Get my mod_authn_sasl rpm:
    wget http://www.one-dash.com/blog/mod_authn_sasl-1.0.2-3.i386.rpm
  5. Install it (this should pull down the):
    yum --nogpgcheck localinstall mod_authn_sasl-1.0.2-3.i386.rpm
  6. Get my sasl-magic-config script:
    wget http://www.one-dash.com/blog/system-saslauthd-active-directory-config.sh
    dos2unix system-saslauthd-active-directory-config.sh
  7. Run the script:
    sh system-saslauthd-active-directory-config.sh example.com
  8. Change the security level:
    system-config-securitylevel-tui
    Set SELinux to Permissive, Customize and enable WWW and Secure WWW on the firewall
  9. Create the sasl2 configuration for apache:
    echo "pwcheck_method:saslauthd" > /usr/lib/sasl2/apache-httpd.conf
  10. Now we need to install Subversion 1.5.2:
    wget http://summersoft.fay.ar.us/pub/subversion/1.5.2/rhel-5/i386/subversion-1.5.2-1.i386.rpm
    wget http://summersoft.fay.ar.us/pub/subversion/1.5.2/rhel-5/i386/neon-0.27.2-1.i386.rpm
    wget http://summersoft.fay.ar.us/pub/subversion/1.5.2/rhel-5/i386/mod_dav_svn-1.5.2-1.i386.rpm
    yum install perl-URI
    rpm -i neon-0.27.2-1.i386.rpm
    rpm -i subversion-1.5.2-1.i386.rpm
    rpm -i mod_dav_svn-1.5.2-1.i386.rpm
  11. Next modify the apache conf file for our subversion repositories: /etc/httpd/conf.d/subversion.conf
    # Needed to do Subversion Apache server.
    LoadModule dav_svn_module     modules/mod_dav_svn.so

    # Only needed if you decide to do "per-directory" access control.
    #LoadModule authz_svn_module   modules/mod_authz_svn.so

    <Location /svn>
     DAV svn
     SVNParentPath /var/www/svn

     <IfModule mod_authn_sasl.c>

        # Limit write permission to list of valid users.
        <LimitExcept GET PROPFIND OPTIONS REPORT>
           # Require SSL connection for password protection.
           # SSLRequireSSL
           AuthType Basic
           AuthName "EXAMPLE"
           AuthBasicProvider sasl
           AuthSaslPwcheckMethod saslauthd auxprop
           AuthSaslAppname apache-httpd
           AuthSaslRealm example
           Require valid-user
        </LimitExcept>

     </IfModule>

    </Location>
  12. Next, create the subversion projects root and restart Apache:
    mkdir /var/www/svn
    chown -R apache.apache /var/www/svn
    service httpd restart
  13. At this point you can now create a test repository:
    svnadmin create /var/www/svn/test
    chown -R apache.apache /var/www/svn/test
  14. Let's test if subversion is working:
    svn info http://localhost/svn/test
    svn mkdir --username myWindowsUsername --message "a test commit" http://localhost/svn/test/trunk
  15. At this point we should have subversion up and running.
at

2 comments:

  1. VirtualTraderMon Oct 19, 02:30:00 am GMT+1

    Thanks, very helpful post. Is there a way to install Trac easily on this server too? An indepth tutorial on this would be great.

    VT

    ReplyDelete
  2. Stephen ConnollyThu Jul 25, 11:01:00 am GMT+1

    my magic script got lost due to a server snafu...



    #!/bin/bash

    CONF_FILE=/etc/saslauthd.conf

    if [ $# -eq 1 ]

    then

    DOMAIN=`echo $1 | sed -e "s/\..*//;y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/"`

    DN=`echo $1 | sed -e "s/\.$//;s/\./,DC=/g;s/^/DC=/;"`

    SERVERS=`dig _ldap._tcp.$1 -t srv | fgrep -A 1000 ";; ADDITIONAL SECTION:" | sed -n '/^;;/!p' | sed -n '/^$/!p' | sed -e "s/ .*//;s/^/ldap:\/\//;s/\.$/:389\//"`



    if [ "A$SERVERS" = "A" ]

    then

    echo "Could not find an SRV record for _ldap._tcp.$1"

    exit 1

    fi



    echo "Creating $CONF_FILE for fastbind authentication to $1"

    echo "ldap_servers: $SERVERS" > $CONF_FILE

    echo "ldap_bind_dn: $DN" >> $CONF_FILE

    echo "ldap_auth_method: fastbind" >> $CONF_FILE

    echo "ldap_filter: $DOMAIN\\%U" >> $CONF_FILE



    echo "Configuring saslauthd to use LDAP"

    mv -f /etc/sysconfig/saslauthd /etc/sysconfig/saslauthd.old

    sed -e "s/MECH=.*/MECH=ldap/;s/FLAGS=.*/FLAGS=-c/;" < /etc/sysconfig/saslauthd.old > /etc/sysconfig/saslauthd



    echo "(Re)starting saslauthd"

    service saslauthd stop

    chkconfig saslauthd on

    service saslauthd start

    echo Done.

    else

    echo "Please invoke this script with the DNS name of the domain to authenticate against"

    exit 1

    fi

    ReplyDelete