The usual IT babble
Posts tagged Apache
Subversion via HTTP(s) and mod_rewrite
Sep 28th
Well, I just finished my wild-goose chase with Apache and subversion regarding a rather weird error. I recently reinstalled our subversion box, and ever since then I was unable to commit anything new to any of the repositories.
Subversion told me this:
svn-client admin-scripts [1] > svn ci -m "Directories for Tivoli Storage Manager Scripts." svn: Commit failed (details follow): svn: MKACTIVITY of '/svn/admin-scripts/!svn/act/someid': 302 Found
Apache didn’t say much about it either, besides this particular line:
[25/Sep/2008:09:22:43 +0200] "MKACTIVITY /svn/admin-scripts/!svn/act/someid HTTP/1.1" 302 331
Today I sat down and thought really hard, what exactly was different from before.
- Installed Trac instead of Redmine, but that can’t have anything to do with the error
- Configured URL rewriting …
As it turns out, the following RewriteRule was the cause:
1 2 3 4 | ## mod_rewrite RewriteEngine On RewriteCond %{REQUEST_URI} !^/(projects|svn)* [NC] RewriteRule ^/ http://subversion.home.barfoo.org/projects [L,R] |
After changing the Rewrite Rule (as showed below, compare the difference yourself 
), it works just like a charm.
1 2 3 4 | ## mod_rewrite RewriteEngine On RewriteCond %{REQUEST_URI} !^/(projects|svn)/*$ [NC] RewriteRule ^/$ http://subversion.home.barfoo.org/projects [L,R] |
Hint to self: whenever encountering HTTP 302 in conjunction with Subversion, check the RewriteRule’s 
subversion on WebDAV with Active Directory authorization on SLES10
Jun 29th
Okay, so I ended up toying with subversion via WebDAV on SLES today (I know, I know .. it’s bloody Sunday). It wasn’t much of a hassle though, after reading this. Sure, I made a few errors at first (simply confused the logic behind “Location” and “Directory“), but after that plain subversion commits via WebDAV (thus utilizing apache) worked fine.
For POC or as a hint to myself, here’s where and what I needed to add/change:
Add the following modules to APACHE_MODULES in /etc/sysconfig/apache2:
- dav_svn (dav_svn needs dav, thus the need to add it too)
- dav
- authnz_ldap (authnz_ldap needs ldap, so again we need that too!)
- ldap
After that, we can add our repository (or our multi-repository folder) to /etc/apache2/conf.d/subversion.conf:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | <IfModule mod_dav_svn.c> <Location /svn> DAV svn SVNParentPath /srv/svn # Limit write permission to list of valid users. <LimitExcept GET PROPFIND OPTIONS REPORT> # Require SSL connection for password protection. # SSLRequireSSL AuthType Basic AuthName "Subversion repositories (Domänenzugangsdaten)" # The authentification provider is mod_ldap AuthBasicProvider ldap # mod_ldap is our *only* authentification provider for this! AuthzLDAPAuthoritative on # AD requires an authentication DN to access any records AuthLDAPBindDN "CN=LDAP Subversion,OU=anon_accounts,OU=Users,DC=foobar,DC=org" AuthLDAPBindPassword "somethingrandom" # The URL to search in AuthLDAPURL "ldap://dc0.foobar.org/ou=Users,dc=foobar,dc=org?sAMAccountName?sub?(objectClass=*)" # Search the group membership in the specified group, otherwise it's gonna # get searched at the binding DN's location AuthLDAPGroupAttributeIsDN on Require ldap-group CN=gr_subversion,OU=Groups,DC=foobar,DC=org </LimitExcept> </Location> |
Now, as you can see, my goal was to not rely on a separate authorization database, but to use our already existing Active Directory at work. Generally this works just fine, but it didn’t. I tried various things, like trying another user, changing the group (as in the “require ldap-group“) as well as changing my own password. Zip.
All I got was this line in the error_log of apache:
[warn] [client 10.0.0.148] [9486] auth_ldap authenticate: user foo authentication failed; URI /svn/admin-scripts/!svn/act/71f2b65f-d050-0410-b33c-3b31fbb94a00 [ldap_search_ext_s() for use r failed][Operations error]
Now, that itself does tell you what is happening, but not why. So again, I ended up googling till I found this:
The suggested step was to add “REFERRALS off” to /etc/ldap/ldap.conf. Surprise, the file don’t exist. Heck, there’s that one in /etc/ldap.conf. I did that, still zip.
Did I get the wrong file ? Absolutely.
/etc/ldap.conf is used by nsswitch and pam_ldap, but not by openldap2 (which is what apache is using). So reading this comment, adding the line to /etc/openldap2/ldap.conf, and *kaching*! Works.
Now I just need to install redmine (already installed ruby, rubygems and rubygem-rails from the SDK Addon), but I’ll leave that for tommorow, today I’m gonna watch Band of Brothers.