Setting up SubVersion with Apache and Windows Group authentication

I found many links tell ing me how to do ‘most’ of this, but like lots of others, just couldn’t put together all the pieces.

My requirements were:

  1. Set up SubVersion to run with a remote repository (on a network drive that’s backed up)
  2. Run with Windows Authentication for all clients (tortoise, browser etc) and hook into the domain
  3. limit access to Windows Groups (not specific users) – to allow a single change to control everything (adding a user to a group that has access to the network resource).

Fact #1.  SubVersion only supports Windows Authentication through Apache.  There may be some hoops you can jump through to get that going with svnserve, but don’t go there.

Fact #2.  SubVersion does not support any Windows AD ‘group’ authentication through its config files, and so you have to do this through Apache.  It supports ‘custom’ groups that you can add domain users to.

The process.

Right, we now know you need to install SubVersion, Apache, and some other bits and pieces to allow Windows Authentication.

1. Install the main components (Follow all instructions on Trumpi’s blog).  This will set up SubVersion, Apache and the necessary modules to do Windows Authentication.

2. Change the ‘Location’ section at the bottom of the Apache httpd.conf to reflect your setup:  I’ve left in some commented lines to show some of the alternatives:

<Location /svn>
DAV svn
#SVNParentPath d:\LocalApp
#SVNPath D:\LocalApp\SVN
SVNPath //myserver/myshare$/SVN #NOTE the // rather than \\ in the UNC path name – you don’t have to use a mapped drive!!!

#User Authentication Policy
AuthName “Subversion”
AuthType SSPI
SSPIAuthoritative On
SSPIDomain mydomain
SSPIOfferBasic On #Essential for TortoiseSVN to access the repository as it doesn’t support Windows integrated authentication
SSPIUsernameCase lower #allows you to type your username in lower case
SSPIOmitDomain On #allows you to just type your username without the domain\ qualifier

# our access control policy enforced by mod_authz_svn
#AuthzSVNAccessFile “D:\LocalApp\SVN\svnaccess.conf” #you shouldn’t need this

#SSLRequireSSL #Look at if you need it
#require valid-user #User this line if you don’t need to limit to a group – i.e. any domain user

require group mydomain\mydomaingroup #here’s the magic for your group authorisation.  This limits access to the virtual directory

3. Run the Apache2 service as a ‘generic’ domain user that is in your windows group (above).  This should also be part of the local administrators group on the web server (you can probably tweak this I was a bit lazy).  Access to the repository is then through the Apache user’s credentials, and each user will simply be authorised based on their group membership at the Apache level.