svn-client admin-scripts [1] > svn ci -m "Directories for Tivoli Storage Manager Scripts."
svn: Commit failed (details follow):
svn: MKACTIVITY of '/svn/admin-scripts/!svn/act/someid': 302 Found

Apache didn’t say much about it either, besides this particular line:

[25/Sep/2008:09:22:43 +0200] "MKACTIVITY /svn/admin-scripts/!svn/act/someid HTTP/1.1" 302 331

Today I sat down and thought really hard, what exactly was different from before.

1. Installed Trac instead of Redmine, but that can’t have anything to do with the error
2. Configured URL rewriting …

As it turns out, the following RewriteRule was the cause:

  ## mod_rewrite
  RewriteEngine On
  RewriteCond %{REQUEST_URI}  !^/(projects|svn)* [NC]
  RewriteRule ^/  http://subversion.home.barfoo.org/projects [L,R]

After changing the Rewrite Rule (as showed below, compare the difference yourself ), it works just like a charm.

  ## mod_rewrite
  RewriteEngine On
  RewriteCond %{REQUEST_URI}  !^/(projects|svn)/*$ [NC]
  RewriteRule ^/$  http://subversion.home.barfoo.org/projects [L,R]

Hint to self: whenever encountering HTTP 302 in conjunction with Subversion, check the RewriteRule’s

For POC or as a hint to myself, here’s where and what I needed to add/change:

Add the following modules to APACHE_MODULES in /etc/sysconfig/apache2:

1. dav_svn (dav_svn needs dav, thus the need to add it too)
2. dav
3. authnz_ldap (authnz_ldap needs ldap, so again we need that too!)
4. ldap

After that, we can add our repository (or our multi-repository folder) to /etc/apache2/conf.d/subversion.conf:

  DAV svn
  SVNParentPath /srv/svn

  # Limit write permission to list of valid users.
  
    # Require SSL connection for password protection.
    # SSLRequireSSL

    AuthType Basic
    AuthName "Subversion repositories (Domänenzugangsdaten)"

    # The authentification provider is mod_ldap
    AuthBasicProvider ldap

    # mod_ldap is our *only* authentification provider for this!
    AuthzLDAPAuthoritative on

    # AD requires an authentication DN to access any records
    AuthLDAPBindDN "CN=LDAP Subversion,OU=anon_accounts,OU=Users,DC=foobar,DC=org"
    AuthLDAPBindPassword "somethingrandom"

    # The URL to search in
    AuthLDAPURL "ldap://dc0.foobar.org/ou=Users,dc=foobar,dc=org?sAMAccountName?sub?(objectClass=*)"

    # Search the group membership in the specified group, otherwise it's gonna
    # get searched at the binding DN's location
    AuthLDAPGroupAttributeIsDN on
    Require ldap-group CN=gr_subversion,OU=Groups,DC=foobar,DC=org

  

Now, as you can see, my goal was to not rely on a separate authorization database, but to use our already existing Active Directory at work. Generally this works just fine, but it didn’t. I tried various things, like trying another user, changing the group (as in the “require ldap-group“) as well as changing my own password. Zip.

All I got was this line in the error_log of apache:

[warn] [client 10.0.0.148] [9486] auth_ldap authenticate: user foo authentication failed; URI /svn/admin-scripts/!svn/act/71f2b65f-d050-0410-b33c-3b31fbb94a00 [ldap_search_ext_s() for use
r failed][Operations error]

Now, that itself does tell you what is happening, but not why. So again, I ended up googling till I found this:

The suggested step was to add “REFERRALS off” to /etc/ldap/ldap.conf. Surprise, the file don’t exist. Heck, there’s that one in /etc/ldap.conf. I did that, still zip.

Did I get the wrong file ? Absolutely.

/etc/ldap.conf is used by nsswitch and pam_ldap, but not by openldap2 (which is what apache is using). So reading this comment, adding the line to /etc/openldap2/ldap.conf, and *kaching*! Works.

Now I just need to install redmine (already installed ruby, rubygems and rubygem-rails from the SDK Addon), but I’ll leave that for tommorow, today I’m gonna watch Band of Brothers.