Introduction
Apache2 can use several authentication methods and options in order to allow access to the same resource, configured in a single VirtualHost.
In the following case i've illustrated how i solved the needing to access via two different authentication/authorization methods the same <Location></Location> by users registered on different authentication systems and so to have different kinds of permissions on the resource, in this case, subversion repositories.
The Study case
The developers team of the company i actually work for, expressed the needing to give external occasional supporting developers, access to our subversion repositories made available through Apache2 HTTPS connection, behind a Nginx reverse proxy. They didn't want to register the external developers in our corporate SSO (OpenLDAP), instead they wanted to have them in separate authentication/authorization system, able to manage permissions on the repositories too.
Environment
Ubuntu 8.04 LTS in KVM virtual machine
- Subversion 1.5.1
- Apache2 mpm-itk
- OpenSSL
Apache2 modules, basically the following:
- auth_basic_module
- mod_authn_file
- authnz_ldap_module
- dav_module
- dav_svn_module
- ldap_module
- authz_svn_module
- authn_alias_module, which is in the core as demonstrated by:
root@vm:/etc/apache2/sites-available# dpkg -S mod_authn_alias.soapache2.2-common: /usr/lib/apache2/modules/mod_authn_alias.so
Pre-Requisites
An OpeLDAP server somewhere, already giving authentication;
Subversion installed and functional on the same machine and already giving privileges management through a svn_auth_file.
The Configuration
This functionality is available by using the apache2 directive: AuthnProviderAlias via the authn_alias_module obtained installing the package apache2.2-common. The directive's operating context is: server config, so it has to be inserted, in the case of Debian-based systems, in the /etc/apache2/apache2.conf.
The purpose is to to configure a set of authentication methods that can be made available to the VirtualHost's Location directives. The directive allows to define the method itself, a name for a single method and other specific configuration parameters, by specifing a directive for every single authentication method to be used. The AuthBasicProvider directive can then be used in the Location directives to make effectively use of them listing names after it. In this way the administrator can use a mix of authentication methods as needed per VirtualHost's Locations. Other specific configuration can be used inside the Location directive itself, as the LDAP DN, paths to privileges files and so on.
For this case i've used apache2-mpm-itk, which is stated to be still in experimental stage, so use it at your own risk, surely there are other methods to make an Apache2 VirtualHost run under a specified user. Furthermore there has to be take into consideration that the mpm-itk is a de facto version of a prefork, so: no threading.
The choice to make this VirtualHost running under a specified user is to give DAV physical access to the repositories in a permissions' coherent way, since the readings/writings operations are made by dav_svn_module installed via libapache2-svn Debian package.
The "AssignUserID uid gid" allows to specify, respectively, user name and group name to run under and its specific to mpm-itk
The usage of "UseCanonicalName on" makes DAV correctly identifying names to access the repositories since i'm using apache as a backend, in this way it correctly determines names as the Nginx reverse proxy passes through.
External users are authenticated on a htpasswd file, their permissions and privileges on the repositories are configured in a svn_auth_file, which defines users, groups of users and kind of permissions, it's related to only subversion, and in this case, is the second authentication/authorization system.
A configuration example follows:
apache2.conf excerpt:
<AuthnProviderAlias ldap ldap1 >
AuthBasicProvider ldap
# just an example
AuthLDAPURL "ldap://IP_or_DOMAIN/ou=organization-unit,DC=domain,DC=tld?uid?sub?"
</AuthnProviderAlias>
<AuthnProviderAlias file svnfile>
AuthUserFile /path/to/your/.htpasswd
AuthzSVNAccessFile /path/to/your/svn_conf/authz_access.conf
</AuthnProviderAlias&>
VirtualHost.conf excerpt(replace the file name accordingly):
<VirtualHost *>
ServerName scm.domain.tld
ServerAdmin sysadm@domain.tld
ErrorLog /var/logs/error
CustomLog /var/logs/access combined
# accept up to 10MB file size uploads
LimitRequestBody 10485760
# assign the uid and gid user to this VH
AssignUserID uid gid
UseCanonicalName on
<Location /repos>
DAV svn
SVNParentPath /path/to/svn_repos_dir
SVNListParentPath on
AuthBasicProvider ldap1 svnfile
AuthType basic
AuthName "Your REALM name here"
AuthzLDAPAuthoritative on
# owned by uid
AuthzSVNAccessFile /path/to/conf/authz_access.conf
require valid-user
require ldap-group cn=gid,ou=group,dc=domain,dc=tld
</Location>
</VirtualHost>
In this way it'll be possibile access the repositories with a URL like https://domain.tld/repos/repo_name by using a registered user name in either OpenLDAP or htpasswd file when the authentication credentials will be requested. The users in the htpasswd file will be subject to the permissions defined in the SVN authentication file /path/to/conf/authz_access.conf.
The configuration illustrated here is just A solution not THE solution, i think there can be find other ways of accomplishing the same results, so use the above instructions at your own risk, i'm not responsible of what the reader does on her/his administered systems.
HTH,
Gianluca
Some References
The AuthnProviderAlias directive:
http://httpd.apache.org/docs/2.3/mod/mod_authn_core.html#authnprovideralias
The AuthBasicProvider directive:
http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html#authbasicprovider
The authz_svn_module configuration directives:
http://svnbook.red-bean.com/en/1.5/svn.ref.mod_authz_svn.conf.html
The dav_svn_module configuration directives:
http://svnbook.red-bean.com/en/1.5/svn.ref.mod_dav_svn.conf.html
The Apache MPM-ITK: http://mpm-itk.sesse.net/
The dav_svn_module Configuration Directives, from the svnbook:
http://svnbook.red-bean.com/en/1.5/svn.ref.mod_dav_svn.conf.html
The authz_svn_module directives, from the svnbook:
http://svnbook.red-bean.com/en/1.5/svn.ref.mod_authz_svn.conf.html
SVN Path-Based Authorization, from the svnbook:
http://svnbook.red-bean.com/en/1.5/svn.serverconfig.pathbasedauthz.html
|
