2009-03-24
Apache the webserver can be configured
t ...
Apache the webserver can be configured to use multiple authentication servers to find the one that knows a given user. We needed this for our new subversion server and it took me some searching to find the right way to configure it. It is one of those 'easy when you know it' items. We want our new subversion server to allow all our normal (ldap) users access and a set of guest users. There will always be guest users for projects hosted with us. The relevant part of the Apache documentation Authentication, Authorization and Access Control - Apache HTTP server isn't very clear on using multiple authentication sources but Apache Module mod_authn_alias shows that it is possible and a nice way to make readable authentication configurations using multiple sources. The AuthnProviderAlias needs to be in the global configuration so I created /etc/apache2/conf.d/authconfig with:# the general authorization config <AuthnProviderAlias dbm svnlocal> AuthDBMUserFile /etc/apache2/subversion/guestusers AuthDBMType DB </AuthnProviderAlias> <AuthnProviderAlias ldap svnldap> AuthLDAPURL ldap://ldap.cs.uu.nl:389/dc=cs,dc=uu,dc=nl?uid </AuthnProviderAlias>And now to use these for SVN access:# the subversion access config <Location /repos> DAV svn SVNParentPath /data/svn/repos # our access control policy AuthzSVNAccessFile /etc/apache2/subversion/svnaccessfile # try anonymous access first, resort to real # authentication if necessary Satisfy Any Require valid-user # how to authenticate a user AuthType Basic AuthName "Subversion repository" AuthBasicProvider svnlocal svnldap </Location>The Satisfy Any is because we do have repositories with full public access. The choice of first checking local users and then checking ldap users is because the number of local users should be limited and the ldap server should not be overloaded with traffic. The complete access rules are set up in the AuthzSVNAccessFile which is documented in the SVN book, httpd, the Apache HTTP Server - Server Configuration SVN