Detailed Instructions for setting up SubVersion w/ Apache & LDAP (Active Directory) on RHEL 5 / Fedora?


I'm in the middle on working on a little project to setup SubVersion on RHEL 5 / CentOS 5.1.

I need to have SVN work with Apache, Windows AD (LDAP), and multiple repositories.

I also want to user base to be able to administer their SVN repositories as well.

The format for the SVN repository would be ../svn/<project 1>  -> ../svn/<project2>, with each <projectX> directory being it's own svn respoitory.

[There are multiple separate projects here, and I want to avoid confusion by the various team members by having all of the projects under one repository.  Is that a good idea?]

For 500 Points, can someone find me DETAILED instructions for setting all of this up?

I'm a noob with Apache & SVN, so I really need things spelled out for me.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ok, say you want all of your subversion repos to go under /opt/svn_repos and you want to use kerberos (could also use ldap)...

First install subversion and apache
yum install subversion httpd krb5-libs

You'd create each repo with:
svnadmin create /opt/svn_repos/project1
svnadmin create /opt/svn_repos/project2
svnadmin create /opt/svn_repos/project3

Create /etc/httpd/conf.d/svn.yourdomain.local.keytab and put this in it:

Now create /etc/httpd/conf.d/subversion.conf - I have my svn set up under a virtual host,, but you don't have to...
Also set up /etc/krb5.conf...
LoadModule dav_svn_module     modules/
LoadModule authz_svn_module   modules/
<VirtualHost *:80>
    ServerName svn.yourdomain.local
    ErrorLog logs/svn.yourdomain.local-error_log
    CustomLog logs/svn.yourdomain.local-access_log common
** /etc/httpd/conf.d/subversion.conf **
<Location />
        DAV svn
        SVNParentPath /opt/svn_repos/
        AuthName "Active Directory Login"
        AuthType Kerberos
        Krb5Keytab /etc/httpd/conf.d/svn.yourdomain.local.keytab
        KrbMethodNegotiate off
        KrbSaveCredentials off
        KrbVerifyKDC off
        # to allow all valid users...
        #Require valid-user
        # or just specific...
        # or a group...
        #Require group .....
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
  kdc = yourDC.yourdomain.local:88
  admin_server = yourDC.yourdomain.local:749
  default_domain = yourdomain.local
 profile = /var/kerberos/krb5kdc/kdc.conf
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

Open in new window


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I hope it was clear above... the code snippet had both my subversion.conf apache config file and also the kerberos config file.
gerhardubAuthor Commented:

Cool... So I've got questions!

I don't want to use /opt, but another mounted location... will this cause me grief?

I'm actually fine with using LDAP and active driectory.  That's not an issue at all... biggest question on that front is actually:  How do I limit access to the various repositories when using LDAP?

In otherwords, is there some kind of allow list or something like that for each repository?
gerhardubAuthor Commented:
Solution was complete for the question I asked, but I should have asked about AD authentication, not LDAP.  My fault.

I have configured Subversion in Exactly same way as depicted in this thread earlier, and it works great as configured for domain users:

Require user,

 What I need is the conditional access like, some of the members should be able to access some directories and others not and some should have Read only, pretty close as Gerhald asked in the last comment.
Suggestions awaited for alternate configurations also, but my prime concern is related to Single Sign On for SVN from LDAP.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.