Project

General

Profile

Forums » Help »

Subversion and LDAP

Added by David Pettifor over 12 years ago

I have read many forum entries and tutorials (both here and outside sources) about how to authenticate Redmine for Subversion using LDAP.

I tried using the page found at:
http://www.redmine.org/projects/redmine/wiki/Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl
to walk through the "proper" process, but have failed.

I have RHEL 6.1, which made things slightly difficult to do. I also tried using the methods discussed here: http://www.redmine.org/issues/8311 since this user appeared to have a similar situation, yet I was still unable to install Authen::Simple::LDAP properly. I was getting this error:

 Error:  Can't locate Params/Validate.pm in @INC

After creating a soft link to allow it to find "Params/Validate.pm", it claimed to have installed successfully.

I have LDAP authentication setup and working in Redmine for logging in. In the redmine database, I can see that the users table has the proper logins associated with the right foreign key to the authentication table (which holds my LDAP information).

I fill out the proper code in my "_http.conf_" file according to that first wiki.

PerlLoadModule Apache::Redmine
PerlLoadModule  Authen::Simple::LDAP
<VirtualHost *:80>
    ...
   <Location /svn>
     DAV svn
     SVNParentPath "/var/svn" 

     AuthType Basic
     AuthName redmine
     Require valid-user

     PerlAccessHandler Apache::Authn::Redmine::access_handler
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler

     ## for mysql
     RedmineDSN "DBI:mysql:database=redmine;host=localhost" 

     RedmineDbUser "redmine" 
     RedmineDbPass "password" 
     #Cache the last 50 auth entries
     RedmineCacheCredsMax 50
  </Location>
</VirtualHost>

*Note: everything is exactly as above except the password.

Now, when I try to go to the subversion location (or try a checkout), it prompts me for a username and password. However, NOTHING I enter works. It allows for 3 tries before booting me (even though I'm using my LDAP username and password that successfully authenticates upon logging in to Redmine).

I have tried another approach. This time I use Apache's mod_ldap module to request a straight-up LDAP authentication without using Redmine. I have gotten this to work (when accessing the SVN's URL or checkout/commit/update commands). However, the "Repository" tab of the project's page in Redmine returns a "404 Not Found". I believe this is happening because as Redmine requests for the subversion entries, Apache holds off and waits for authentication. Since Redmine doesn't get back what it was expecting, it throws a 404.

Here is my "_httpd.conf_" configuration for THIS method:

<VirtualHost *:80>
   ...
  <Location /svn>
        DAV svn
        SVNParentPath "/var/svn" 

        AuthType Basic
        AuthName "Restricted" 

        AuthBasicProvider ldap
        AuthLDAPBindDN "myBindDN" 
        AuthLDAPBindPassword "myPassword" 
        AuthLDAPURL "ldaps://myldapserver.com:636/other_junk" 

        Require valid-user

  </Location>
</VirtualHost>

So my question is - which way do I go and how to proceed? If I can get the first method to work, that would be great. However, if there was a way to allow Redmine through in my Apache configuration (and prompt for an LDAP authentication for everyone else), that would be great too.


Replies (1)

RE: Subversion and LDAP - Added by David Pettifor over 12 years ago

As it turns out, my second method led me to the solution I was looking for. I was very close with the above authentication method. I wanted to have anyone that tries to access the subversion service to have to authenticate against my LDAP settings. However, I wanted an exception - that if it was Redmine making the request, it should be allowed through. The trick was how to identify a request from Redmine, and how to allow that request. Since Redmine was running on the same server, it had the same IP address. Apache can allow specific IP address through, and with the right Order directive and a "Satisfy Any", I was able to get the setup I was looking for using this configuration:

<VirtualHost *:80>
   ...
  <Location /svn>
        Order allow,deny
        Allow from ACTUAL_IP_ADDRESS (example: 123.45.67.100)

        DAV svn
        SVNParentPath "/var/svn" 

        AuthType Basic
        AuthName "Restricted" 

        AuthBasicProvider ldap
        AuthLDAPBindDN "myBindDN" 
        AuthLDAPBindPassword "myPassword" 
        AuthLDAPURL "ldaps://myldapserver.com:636/other_junk" 

        Require valid-user

        Satisfy Any

  </Location>
</VirtualHost>

It's very important to point out that the ACTUAL_IP_ADDRESS in the "Allow from" directive is NOT the loop-back address (127.0.0.1). This does not work since Apache does a straight-up comparison of IP addresses, and does not do any IP look-ups. And since the request is made by Redmine (which uses the DHCP-given IP address when making requests), the matchup will always fail. So use the actual IP address of that machine, and it'll work like a charm.

    (1-1/1)