Apache the webserver can be configured t ... / 2009-03-24

2009-03-24 Apache the webserver can be configured t ... 10 years ago
Apache the webserver can be configured to use multiple authentication servers to find the one that knows a given user. We needed this for our new subversion server and it took me some searching to find the right way to configure it. It is one of those 'easy when you know it' items. We want our new subversion server to allow all our normal (ldap) users access and a set of guest users. There will always be guest users for projects hosted with us. The relevant part of the Apache documentation Authentication, Authorization and Access Control - Apache HTTP server isn't very clear on using multiple authentication sources but Apache Module mod_authn_alias shows that it is possible and a nice way to make readable authentication configurations using multiple sources. The AuthnProviderAlias needs to be in the global configuration so I created /etc/apache2/conf.d/authconfig with:
# the general authorization config

<AuthnProviderAlias dbm svnlocal>
    AuthDBMUserFile /etc/apache2/subversion/guestusers
    AuthDBMType DB
</AuthnProviderAlias>

<AuthnProviderAlias ldap svnldap>
    AuthLDAPURL ldap://ldap.cs.uu.nl:389/dc=cs,dc=uu,dc=nl?uid
</AuthnProviderAlias>
And now to use these for SVN access:
# the subversion access config
<Location /repos>
    DAV svn
    SVNParentPath /data/svn/repos

    # our access control policy
    AuthzSVNAccessFile /etc/apache2/subversion/svnaccessfile

    # try anonymous access first, resort to real
    # authentication if necessary
    Satisfy Any
    Require valid-user

    # how to authenticate a user
    AuthType Basic
    AuthName "Subversion repository"

    AuthBasicProvider svnlocal svnldap
</Location>
The Satisfy Any is because we do have repositories with full public access. The choice of first checking local users and then checking ldap users is because the number of local users should be limited and the ldap server should not be overloaded with traffic. The complete access rules are set up in the AuthzSVNAccessFile which is documented in the SVN book, httpd, the Apache HTTP Server - Server Configuration SVN

Tags: , ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.003872 seconds.