subversion on WebDAV with Active Directory authorization on SLES10

Posted on Sunday, 29th June, 2008 in Life

Okay, so I ended up toying with subversion via WebDAV on SLES today (I know, I know .. it’s bloody Sunday). It wasn’t much of a hassle though, after reading this. Sure, I made a few errors at first (simply confused the logic behind “Location” and “Directory“), but after that plain subversion commits via WebDAV (thus utilizing apache) worked fine.

For POC or as a hint to myself, here’s where and what I needed to add/change:

Add the following modules to APACHE_MODULES in /etc/sysconfig/apache2:

  1. dav_svn (dav_svn needs dav, thus the need to add it too)
  2. dav
  3. authnz_ldap (authnz_ldap needs ldap, so again we need that too!)
  4. ldap

After that, we can add our repository (or our multi-repository folder) to /etc/apache2/conf.d/subversion.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

<IfModule mod_dav_svn.c>
 
<Location /svn>
  DAV svn
  SVNParentPath /srv/svn
 
  # Limit write permission to list of valid users.
  <LimitExcept GET PROPFIND OPTIONS REPORT>
    # Require SSL connection for password protection.
    # SSLRequireSSL
 
    AuthType Basic
    AuthName "Subversion repositories (Domänenzugangsdaten)"
 
    # The authentification provider is mod_ldap
    AuthBasicProvider ldap
 
    # mod_ldap is our *only* authentification provider for this!
    AuthzLDAPAuthoritative on
 
    # AD requires an authentication DN to access any records
    AuthLDAPBindDN "CN=LDAP Subversion,OU=anon_accounts,OU=Users,DC=foobar,DC=org"
    AuthLDAPBindPassword "somethingrandom"
 
    # The URL to search in
    AuthLDAPURL "ldap://dc0.foobar.org/ou=Users,dc=foobar,dc=org?sAMAccountName?sub?(objectClass=*)"
 
    # Search the group membership in the specified group, otherwise it's gonna
    # get searched at the binding DN's location
    AuthLDAPGroupAttributeIsDN on
    Require ldap-group CN=gr_subversion,OU=Groups,DC=foobar,DC=org
 
  </LimitExcept>
</Location>

Now, as you can see, my goal was to not rely on a separate authorization database, but to use our already existing Active Directory at work. Generally this works just fine, but it didn’t. I tried various things, like trying another user, changing the group (as in the “require ldap-group“) as well as changing my own password. Zip.

All I got was this line in the error_log of apache:

[warn] [client 10.0.0.148] [9486] auth_ldap authenticate: user foo authentication failed; URI /svn/admin-scripts/!svn/act/71f2b65f-d050-0410-b33c-3b31fbb94a00 [ldap_search_ext_s() for use
r failed][Operations error]

Now, that itself does tell you what is happening, but not why. So again, I ended up googling till I found this:

The suggested step was to add “REFERRALS off” to /etc/ldap/ldap.conf. Surprise, the file don’t exist. Heck, there’s that one in /etc/ldap.conf. I did that, still zip.

Did I get the wrong file ? Absolutely.

/etc/ldap.conf is used by nsswitch and pam_ldap, but not by openldap2 (which is what apache is using). So reading this comment, adding the line to /etc/openldap2/ldap.conf, and *kaching*! Works.

Now I just need to install redmine (already installed ruby, rubygems and rubygem-rails from the SDK Addon), but I’ll leave that for tommorow, today I’m gonna watch Band of Brothers.

No Comments | Tags: , , , ,


The clue to build ppc64 RPM’s

Posted on Thursday, 26th June, 2008 in Life

Remember, I talked about building RPM’s on SLES10SP2 on ppc64 ? Well, turns out I was rather stupid .. and it was rather simple (don’t ask me why I didn’t think of that). I tried asking solar, I used google (apparently with the wrong search parameters), nothing though. Not a clue.

Today it bugged me again, so I used google again. This time with “ppc64 suse rpmbuild“, and guess what I saw within the preview of the second hit ..

1

rpmbuild -ba --target ppc64 myfile.spec

And here I thought I was missing something, turns out I was really stupid though .. *shrug* Building stuff like nagios works with that just fine ..

Update: or not. It worked only a single time and is broken ever since again. Guess I’m gonna reload the box on Tuesday.

No Comments | Tags: , ,


Removing newlines (\n) with sed

Posted on Tuesday, 24th June, 2008 in Life

Today I had to search again on how to remove newline special characters with sed. Thanks to Kamil over at linux.dsplabs.com.au, I found it again rather quickly.

Now, this is just for my own safekeeping, so I don’t end up googling for it again … *shrug*

1

echo -e "Line containing \nnewlines!" | sed ':a;N;$!ba;s/\n//g'

Comments (2) | Tags: ,