Oct 02, 2009
Apache2 can use several authentication methods and options in order to allow access to the same resource, configured in a single VirtualHost.
In the following case i've illustrated how i solved the needing to access via
two different authentication/authorization methods the same
<Location></Location> by users registered on different authentication
systems and so to have different kinds of permissions on the resource, in this
case, subversion repositories.
The developers team of the company i actually work for, expressed the needing to give external occasional supporting developers, access to our subversion repositories made available through Apache2 HTTPS connection, behind a Nginx reverse proxy. They didn't want to register the external developers in our corporate SSO (OpenLDAP), instead they wanted to have them in separate authentication/authorization system, able to manage permissions on the repositories too.
Ubuntu 8.04 LTS in KVM virtual machine
Apache2 modules, basically the following:
authn_alias_module, which is in the core as demonstrated by:
root@vm:/etc/apache2/sites-available# dpkg -S mod_authn_alias.so
An OpeLDAP server somewhere, already giving authentication;
Subversion installed and functional on the same machine and already giving privileges management through a svn_auth_file.
This functionality is available by using the apache2 directive:
AuthnProviderAlias via the authn_alias_module obtained installing the
package apache2.2-common. The directive's operating context is: server config,
so it has to be inserted, in the case of Debian-based systems, in the
The purpose is to to configure a set of authentication methods that can be
made available to the VirtualHost's Location directives. The directive allows
to define the method itself, a name for a single method and other specific
configuration parameters, by specifing a directive for every single
authentication method to be used. The
AuthBasicProvider directive can then
be used in the Location directives to make effectively use of them listing
names after it. In this way the administrator can use a mix of authentication
methods as needed per VirtualHost's Locations. Other specific configuration
can be used inside the Location directive itself, as the LDAP DN, paths to
privileges files and so on.
For this case i've used
apache2-mpm-itk, which is stated to be still in
experimental stage, so use it at your own risk, surely there are other methods
to make an Apache2 VirtualHost run under a specified user. Furthermore there
has to be take into consideration that the mpm-itk is a de facto version of a
prefork, so: no threading.
The choice to make this VirtualHost running under a specified user is to give DAV physical access to the repositories in a permissions' coherent way, since the readings/writings operations are made by dav_svn_module installed via libapache2-svn Debian package.
The "AssignUserID uid gid" allows to specify, respectively, user name and group name to run under and its specific to mpm-itk
The usage of "UseCanonicalName on" makes DAV correctly identifying names to access the repositories since i'm using apache as a backend, in this way it correctly determines names as the Nginx reverse proxy passes through.
External users are authenticated on a htpasswd file, their permissions and privileges on the repositories are configured in a svn_auth_file, which defines users, groups of users and kind of permissions, it's related to only subversion, and in this case, is the second authentication/authorization system.
A configuration example follows:
1 2 3 4 5 6 7 8 9 10
<AuthnProviderAlias ldap ldap1 > AuthBasicProvider ldap # just an example AuthLDAPURL "ldap://IP_or_DOMAIN/ou=organization-unit,DC=domain,DC=tld?uid?sub?" </AuthnProviderAlias> <AuthnProviderAlias file svnfile> AuthUserFile /path/to/your/.htpasswd AuthzSVNAccessFile /path/to/your/svn_conf/authz_access.conf </AuthnProviderAlias&>
VirtualHost.conf excerpt(replace the file name accordingly):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
<VirtualHost *> ServerName scm.domain.tld ServerAdmin email@example.com ErrorLog /var/logs/error CustomLog /var/logs/access combined # accept up to 10MB file size uploads LimitRequestBody 10485760 # assign the uid and gid user to this VH AssignUserID uid gid UseCanonicalName on <Location /repos> DAV svn SVNParentPath /path/to/svn_repos_dir SVNListParentPath on AuthBasicProvider ldap1 svnfile AuthType basic AuthName "Your REALM name here" AuthzLDAPAuthoritative on # owned by uid AuthzSVNAccessFile /path/to/conf/authz_access.conf require valid-user require ldap-group cn=gid,ou=group,dc=domain,dc=tld </Location> </VirtualHost>
In this way it'll be possibile access the repositories with a URL like https://domain.tld/repos/repo_name by using a registered user name in either OpenLDAP or htpasswd file when the authentication credentials will be requested. The users in the htpasswd file will be subject to the permissions defined in the SVN authentication file /path/to/conf/authz_access.conf.
The configuration illustrated here is just A solution not THE solution, i think there can be find other ways of accomplishing the same results, so use the above instructions at your own risk, i'm not responsible of what the reader does on her/his administered systems.
Powered by Moonwatcher.it ShortPosts.