Setting Up Subversion with LDAP and IDM Designer



By: dgersic

December 5, 2007 2:53 am

Reads: 207

Comments:0

Rating:0

Introduction

IDM Designer, versions 3.0 M2 and newer, support Subversion revision control. This support is still a work in progress, so some things may change over time.

This article is a “how-to” on setting up a Subversion + Apache server with eDirectory LDAP authentication, so that Designer can use it. This is based on the 11/29 build of Designer 3.0 M2.

Disclaimer: I am not an expert on setting up and administrating a Subversion server, so if there’s anything boneheaded in what follows, put it down to my inexperience and let me know. I figure this might be useful to get other people playing with Designer + Subversion if they’re also not
familiar with how to set up Subversion.

Following is a quick step-by-step that should get you up and running. Please refer to the Subversion and Apache documentation for details and clarification. I’m doing this with OpenSUSE 10.2. For all “server.hostname.com” URLs and DNS names below, substitute your machine’s hostname.

Note: I already had Apache2 installed and working, so I’m skipping over the steps needed to get Apache2 going.

Package Installs via YaST

Make sure the following YaST installs have been done:

  • Apache2
  • Apache2-prefork
  • Apache2-doc
  • Subversion
  • Subversion-doc
  • Subversion-server
  • Subversion-tools

Making the Documentation Available

1. Go to YaST > System > Sysconfig Editor.

2. Select Network > WWW > Apache2 > APACHE_SERVER_FLAGS

3. Add the SVN_DOC.

4. Restart Apache2.

The documentation URL will be at:
http://server.hostname.com/svn-manual/book/svn-book.html

At this point you should stop and read the Subversion manual. If you don’t want to read the whole thing, at least read the Introduction, Basic Concepts, and Guided Tour to get familiar with Subversions terms and operations. Then read the Repository Administration chapter. You will need to make some choices in how you want this to work, and the information you need to make those choices is in these chapters.

Configuring Apache2 to Support SSL (https://)

1. Go to YaST > System > Sysconfig Editor > Network -> WWW -> Apache2 -> APACHE_SERVER_FLAGS

2. Add SSL.

3. Go to YaST > Network Services > HTTP Server.

4. Enable the ServerModules SSL.

5. Create a server certificate similar to this one:

  /usr/bin/gensslcert -c "Country" -s "State" -l "City"
              -o "Oranization Name" -e "email@server.hostname.com"
              -d -n server.hostname.com

6. Run the following:

cp /etc/apache2/vhost.d/vhost-ssl.template
/etc/apache2/vhost.d/vhost-ssl.conf

7. Restart Apache2.

8. Go to YaST > Security > Firewall > Allowed Services.

9. Select the External Zone.

10. Add “https server”.

11. Test https://server.hostname.com – you should be prompted to accept the SSL certificate, because it’s not from a trusted CA.

Setting Up Repositories with Subversion

1. Run the following commands:

mkdir /srv/svn
svnadmin create /srv/svn/test
chown -R wwwrun:www /srv/svn/test

For each repository to be accessed by the web server, the user and group owner must be set. SUSE Linux defaults to running Apache2 as user “wwwrun” and group “www”.

Here’s a decision point. You can use Designer and Subversion together in a configuration where all of your Designer projects are managed in one Subversion repository. Or, you can configure it to put each project in its own repository. Hopefully, you have read the administration section of the Subversion documentation, especially the discussion of this topic under “Choosing a Repository Layout”.

A. If you want to manage one repository with multiple projects, then you’ll need to create subdirectories under your repository, one subdirectory for each project:

svnadmin create /srv/svn/IDM
chown -R wwwrun:www /srv/svn/IDM
svn mkdir -m "Development project directory" https://server.domain.com/svn/IDM/Development 
svn mkdir -m "QA Testing project directory" https://server.domain.com/svn/IDM/QA 
svn mkdir -m "Production project directory" https://server.domain.com/svn/IDM/Production

B. Alternately, if you want to manage each project in its own repository:

svnadmin create /srv/svn/IDM-Devel
svnadmin create /srv/svn/IDM-QA
svnadmin create /srv/svn/IDM-Prod
chown -R wwwrun:www /srv/svn/IDM-Devel
chown -R wwwrun:www /srv/svn/IDM-QA
chown -R wwwrun:www /srv/svn/IDM-Prod

Depending on how you choose to set it up here, the URLs in the examples that follow may or may not match your configuration. Adjust them apropriately to suit your environment.

Apache2 + Subversion Configuration

1. Edit the /etc/apache2/conf.d/subversion.conf file.

2. Put the following code in it:

<Location /svn>
DAV svn
SVNParentPath /srv/svn
# Limit write permission to list of valid users.
  <LimitExcept GET PROPFIND OPTIONS REPORT>
# Require SSL connection for password protection.
   SSLRequireSSL
   AuthType Basic
   AuthName "Subversion Repository"
   AuthUserFile /etc/svn-auth
   Require valid-user
  </LimitExcept>
</Location>

3. Create a passwords file similar to this:

  htpasswd2 -cm /etc/svn-auth testuser1
  htpasswd2 -m /etc/svn-auth testuser2

4. Go to YaST > System > Sysconfig > Network > WWW > Apache2 > APACHE_MODULES.

5. Add mod_dav mod_dav_svn

6. Restart Apache2.

Subversion User Test

1. Run the following code:

echo "This is a test." >> test.txt
svn import test.txt https://server.domain.com/svn/test -m "Testing"
rm test.txt
svn checkout https://server.domain.com/svn/test 
echo "This is a test update." >> test.txt
svn commit test.txt -m "Test update"
svn log https://server.domain.com/svn/test 

2. Use “testuser1″ when prompted for credentials to log in to the Subversion server.

Note that this creates a publicly readable subversion repository, and that the users created are allowed to update any project checked in to the repository. Further access controls and better security are possible, and they are detailed in the Subversion documentation. For anything more than a test environment, you really need to read the Subversion docs and set it up to match your needs.

Designer + Subversion

Here, you’ll put a project in to the Subversion repository to start revision-controlling it.

1. From the Project menu, right click on a project and select Check In. You will be prompted for the Subversion server information.

2. Fill in the following data:

Repository Location: https://server.domain.com 
Project Location: /svn/IDM/Development
Comments: This is the initial comments section for your project. Describe it in this box. While this can be changed later, it's not something you want to have to change later, so try to have something
useful here.

3. Click OK to start importing your project’s data files in to Subversion.

4. When prompted, enter your user/password credentials to log in.

Importing a Project from Subversion

You can import other projects in to Designer, or multiple people can import one project from Subversion and each be working on it independantly, sharing their changes via Subversion.

1. From the Project menu, select Import From Version Control.

The Repository URL is: https://server.domain.com/svn/IDM

2. Select the project you want to import. Notice that the Tooltip Help even tells you who last updated it, and when.

3. Click Finish to import the project into your workspace.

Getting Changes from Other Developers

Right-click on the Project and select Refresh. You will see the changes other people have committed to the Subversion server for this project.

Viewing Revision Information

There’s a new Version Control window available. Right now, it seems to show up next to the Project Checker log window. From there, you can browse your project layout, right-click on an object, and select History to see what changes have affected this object. Or, you can select Properties to see the object and revision information.

Committing Changes

1. Make some changes to your project.

2. Save, deploy, and test as usual.

3. To commit them to the Subversion server, from the Project menu, right-click on the project and select Check In. As with the first import, you’ll be prompted for a comment.

4. Use this comment to describe what you’ve changed, why you’ve changed it – that kind of thing. This comment is what shows up in the Subversion logs, so the more meaningful and informative the better.

Apache2 + LDAPS

Not happy with having to create and manage local users and passwords, we now go further and configure Apache2 to use LDAP authentication against eDirectory, via a secure SSL connection.

1. From ConsoleOne or iManager, export your eDirectory tree’s Self Signed Certificate.

2. Save it in Base64 format. The web server process needs this file, so I put it in a /etc/apache2/certs directory.

3. Edit /etc/apache2/conf.d/subversion.conf file.

4. Change the <Location> block creataed earlier to look like this:

LDAPTrustedGlobalCert CA_BASE64 /etc/apache2/certs/SelfSignedCert.b64

<Location /svn>
  DAV svn
  SVNParentPath /srv/svn
#   # Limit write permission to list of valid users.
   <LimitExcept GET PROPFIND OPTIONS REPORT>
      # Require SSL connection for password protection.
SSLRequireSSL
      AuthType Basic
      AuthName "Subversion Repository"
      AuthBasicProvider ldap
      AuthLDAPURL ldaps://ldap.domain.com/o=niu?cn??(objectclass=user)
      Require ldap-user david tom bob
   </LimitExcept>
</Location>

5. Go to YaST > System > Sysconfig > Network > WWW > Apache2 > APACHE_MODULES.

6. Add ldap authnz_ldap

7. Restart Apache2.

Now the Subversion repositories are still world-readable, but only eDirectory users “david”, “tom”, and “bob” will be allowed to commit changes.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: ,
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment