I've been working on our development server at work to try to help streamline some process. This included upgrade Subversion and Apache to the latest versions and installing Trac (so we can better track software issues.)
In order to really simplify being able to give developers and contractors access to the appropriate areas, I wanted to try and simplify the process by configuring Apache to use Windows Authentication. This allows us to control who has access to what, just by making them members of the appropriate groups.
Since I'm new to Apache, this whole process has taken longer than what I wanted—but I certainly learned a lot in the process.
Getting Windows Authentication configured in Apache wasn't too difficult. I decided to use mod-auth-sspi module since it seems to be the most popular one. When you go to download the module, you'll see file names that start with "mod_auth_sspi-1.0.4-". You'll want to download the file that ends in a version number matching your Apache install. I'm using Apache v2.2.4, so I downloaded the mod_auth_sspi-1.0.4-2.2.2.zip version. (NOTE: The main thing that's important is that you use the 2.0.x module for Apache v2.0.x and the 2.2.x module for Apache v2.2.x. The versions don't need to be identical.)
The mod_auth_sspi-1.0.4 zip file will contain /doc/ folder that has an INSTALL text file that tells you how to configure things. You'll want to copy the /bin/sspipkgs.exe to the /bin folder on your Apache install and the /bin/mod_auth_sspi.so to the /modules folder.
The installation tells you to load the mod_auth_sspi.so last. However, this is will not work if you plan on using SSPI with SVN. I believe technically you just need to load the module after the Apache mod_authn_alias.
In order to get the SSPI working with SVN, you need to load the mod_auth_sspi.so before you load the subversion modules. The order should look like:
# Windows Authentication module LoadModule sspi_auth_module modules/mod_auth_sspi.so # Subversion modules LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so
NOTE:Your Subversion installation also comes with copies of the mod_dav_svn.so and mod_authz_svn.so modules. I had no problems using the ones that shipped with Apache v2.2.4. However, if you are having problems try using the versions that are in the Subversion install folder. I'd recommend pointing right to that folder, so as you update Subversion the modules will be updated too.
I can't stress how important the order above is. I spent about 4-5 hours this afternoon troubleshooting things and it all came down to the order of the LoadModule commands. I was getting all sorts of "Authorization failed" and "RA layer request failed" error messages until I got the load order right.
<Location /svnpath> # configure SVN DAV svn SVNListParentPath on # any "/svn/foo" URL will map to a repository /usr/local/svn/foo SVNParentPath c:/Repository/Path AuthName "Subversion Authentication" AuthType SSPI SSPIAuth On SSPIAuthoritative On # set the domain to authorize against SSPIDomain DOMAIN SSPIOmitDomain On # keep domain name in userid string SSPIOfferBasic On # let non-IE clients authenticate SSPIBasicPreferred Off # should basic authentication have higher priority SSPIUsernameCase lower # require the SVN Users group Require group "DOMAIN\Subversion Users" </Location>
NOTE:The words in red you'll want to configure to match your server's configuration. I believe the SSPIUsernameCase option is required, since the several of the Apache modules are case sensitive. By keeping everything lowercase it should help prevent problems when you're configuring things.
In the configuration above, anyone who is in the "Subversion Users" users group will have access to the location specified. For our purposes, you either have full access to the SVN or none at all. If you need to specify more granular control, you can use the AuthzSVNAccessFile command to specify a Subversion access file. This will allow you to control what permissions each user actually has. For information on using an access file, see Michael Flanakin's Windows Authentication with Subversion on Windows post.
It was actually Michael's post that got me straightened out about the order of the LoadModules.
Now that I have everything configured, I can now log in to Trac and Subversion (using TortoiseSVN or Subclipse) all using the same login credentials. Not only does this make it easier to Administrate in the long run, it makes it easier for our developers as well.
Now I just need to finish configuring Trac and get Mylin up and running!