Apache the webserver can be configured t ... / 2009-03-24

2009-03-24 Apache the webserver can be configured t ...
Apache the webserver can be configured to use multiple authentication servers to find the one that knows a given user. We needed this for our new subversion server and it took me some searching to find the right way to configure it. It is one of those 'easy when you know it' items. We want our new subversion server to allow all our normal (ldap) users access and a set of guest users. There will always be guest users for projects hosted with us. The relevant part of the Apache documentation Authentication, Authorization and Access Control - Apache HTTP server isn't very clear on using multiple authentication sources but Apache Module mod_authn_alias shows that it is possible and a nice way to make readable authentication configurations using multiple sources. The AuthnProviderAlias needs to be in the global configuration so I created /etc/apache2/conf.d/authconfig with:
# the general authorization config

<AuthnProviderAlias dbm svnlocal>
    AuthDBMUserFile /etc/apache2/subversion/guestusers
    AuthDBMType DB
</AuthnProviderAlias>

<AuthnProviderAlias ldap svnldap>
    AuthLDAPURL ldap://ldap.cs.uu.nl:389/dc=cs,dc=uu,dc=nl?uid
</AuthnProviderAlias>
And now to use these for SVN access:
# the subversion access config
<Location /repos>
    DAV svn
    SVNParentPath /data/svn/repos

    # our access control policy
    AuthzSVNAccessFile /etc/apache2/subversion/svnaccessfile

    # try anonymous access first, resort to real
    # authentication if necessary
    Satisfy Any
    Require valid-user

    # how to authenticate a user
    AuthType Basic
    AuthName "Subversion repository"

    AuthBasicProvider svnlocal svnldap
</Location>
The Satisfy Any is because we do have repositories with full public access. The choice of first checking local users and then checking ldap users is because the number of local users should be limited and the ldap server should not be overloaded with traffic. The complete access rules are set up in the AuthzSVNAccessFile which is documented in the SVN book, httpd, the Apache HTTP Server - Server Configuration SVN

Tags: , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.57 2022/02/15 21:48:18 koos Exp $ in 0.006132 seconds.