My users decided to move from CVS to SVN, and they want to use centralized LDAP server for user authentication, I need to setup a test server for prove of concept test.
I found one no longer used server, and installed SVN packages as well as mod_dav_svn. The Apache HTTP server is already there.
After I configured Apache HTTP follow the document at http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.prereqs , I tried to use subversion client to connect to it but failed. I checked http server log and found the request was sent to the wrong place:
and according to my configuration file, it should not go to /var/www/html/repos:
and any access to the URL should prompt for authentication but it didn't
had no clue after checked all the log files and tried different client, I started to think maybe the problem is Apache didn't read my configuration file. So I did a trace
apparently, apache only load php.conf
so I looked into the main configuration file for the "include" directives:
I changed the line to
and restart httpd server. Now when I access the URL http://servername/repos, my browser will prompt for username and password
to my surprise, if I exclude
in /etc/httpd/conf.d/subversion.conf, I can have full access using any LDAP accounts, but if I include it, none of my account work (all of them will have access denied). the file /var/www/svn/access looks like below:
I made this file following the instructions at http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html. After a few test, it turned out the "&" is the problem, somehow you don't need that, after I changed the file to
everything works like expected.
my environment:
httpd-2.2.3-63.el5_8.1
mod_dav_svn-1.6.11-10.el5_8
subversion-1.6.11-10.el5_8
I found one no longer used server, and installed SVN packages as well as mod_dav_svn. The Apache HTTP server is already there.
After I configured Apache HTTP follow the document at http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.prereqs , I tried to use subversion client to connect to it but failed. I checked http server log and found the request was sent to the wrong place:
# more error_log
......
[Wed May xx 16:07:36 2012] [error] [client 192.168.128.10] File does not exist: /var/www/html/repos
[Wed May xx 16:07:36 2012] [error] [client 192.168.128.10] File does not exist: /var/www/html/favicon.ico
[Wed May xx 16:07:49 2012] [error] [client 192.168.128.10] File does not exist: /var/www/html/repos
[Wed May xx 16:07:49 2012] [error] [client 192.168.128.10] File does not exist: /var/www/html/favicon.ico
............
and according to my configuration file, it should not go to /var/www/html/repos:
# more /etc/httpd/conf.d/subversion.conf
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<Location /repos>
DAV svn
SVNParentPath /var/www/svn
AuthType Basic
AuthName "xxxx SVN"
AuthBasicProvider ldap
AuthLDAPURL "ldap://xxxxxx:389/ou=users,dc=xxxxxx,dc=com?uid?sub?(objectClass=*)"
AuthzSVNAccessFile /var/www/svn/access
Require valid-user
</Location>
and any access to the URL should prompt for authentication but it didn't
had no clue after checked all the log files and tried different client, I started to think maybe the problem is Apache didn't read my configuration file. So I did a trace
# cd /tmp
# service httpd stop
# strace -o httpd.trace -f /usr/sbin/httpd ##### to trace every system call from httpd
# grep "open" httpd.trace | grep "conf.d" ##### to find out which file was read in conf.d directory
http.trace:open("/etc/httpd/conf.d/php.conf", O_RDONLY) = 4
http.trace:open("/etc/httpd/conf.d/php.conf", O_RDONLY) = 5
apparently, apache only load php.conf
so I looked into the main configuration file for the "include" directives:
# grep -i "include" /etc/httpd/conf/httpd.conf
LoadModule include_module modules/mod_include.so
Include conf.d/php.conf ##### <<<------ here's the probem
I changed the line to
Include conf.d/*.conf
and restart httpd server. Now when I access the URL http://servername/repos, my browser will prompt for username and password
to my surprise, if I exclude
AuthzSVNAccessFile /var/www/svn/access
in /etc/httpd/conf.d/subversion.conf, I can have full access using any LDAP accounts, but if I include it, none of my account work (all of them will have access denied). the file /var/www/svn/access looks like below:
# more /var/www/svn/access
[aliases]
test1= uid=test1,ou=users,dc=xxxx,dc=com
test2 = uid=test2,ou=users,dc=xxxx,dc=com
[groups]
dev= &test1, &test2
[projectA:/]
* = r
&test1 = rw
[projectB:/]
&test1 = r
@dev = rw
I made this file following the instructions at http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html. After a few test, it turned out the "&" is the problem, somehow you don't need that, after I changed the file to
# more /var/www/svn/access
[aliases]
test1= uid=test1,ou=is_team,ou=users,dc=xxxx,dc=com
test2 = uid=test2,ou=dev_team,ou=users,dc=xxxx,dc=com
[groups]
dev= test1, test2
[projectA:/]
* = r
test1 = rw
[projectB:/]
test1 = r
@dev = rw
everything works like expected.
my environment:
httpd-2.2.3-63.el5_8.1
mod_dav_svn-1.6.11-10.el5_8
subversion-1.6.11-10.el5_8
Comments
Post a Comment