Friday, February 27, 2009

VisualSVN + Trac = Love

VisualSVN is pretty well known for providing a decent subversion server on windows-platforms thats also easy to administer. Even for those of us who want to use integrated windows authentication. However, the built-in support is lacking seamless single-sign-on from those applications that support it.

There exists a special version of VisualSVN thats packed with trac. While this install isn't quite as straight-forward as the standard package - whoever has installed python on a production server knows what I'm talking about - once setup it works remarkably well. Except for true single-sign-on.

To address this issue I figured that VisualSVN is just comprised of apache plus some svn modules. So it should be easy to hack in support to auth against an Active Directory. There are quite a few options when it comes to this. I found only one working stable: mod_auth_sspi.

To get the correct modules and dependancies I installed a stand-alone apache (the exact version that ships with VisualSVN + Trac), and went from there. I blatantly copied any missing deps into the visualsvn/bin folder.

Here's my httpd.conf:
# This is configuration file for Apache HTTP server which is
# part of VisualSVN Server.
# Contact with VisualSVN Ltd. ( if you have suggestions and
# improvements.

ThreadsPerChild 64
MaxMemFree 100
MaxRequestsPerChild 0

ServerRoot "C:/Program Files/VisualSVN Server"
ServerName "hostname.mydomain:443"
ServerSignature Off
ServerTokens Prod
DocumentRoot "htdocs"

PidFile "C:/Repositories//"

Listen "443"

LoadModule auth_basic_module bin/
LoadModule auth_digest_module bin/
LoadModule authn_file_module bin/
LoadModule authn_visualsvn_module bin/
LoadModule authz_visualsvn_module bin/
LoadModule authz_svn_module bin/

LoadModule dir_module bin/
LoadModule deflate_module bin/
LoadModule mime_module bin/
LoadModule setenvif_module bin/

LoadModule dav_module bin/
LoadModule dav_svn_module bin/
LoadModule ssl_module bin/

LoadModule sspi_auth_module bin/

Options FollowSymLinks
AllowOverride None

DAV svn

SVNListParentPath on
SVNParentPath "C:/Repositories/"
SVNIndexXSLT "/svnindex.xsl"
SVNPathAuthz on

AuthName "Subversion Repositories"
AuthType Basic

AuthType SSPI
SSPIAuthoritative On
SSPIDomain jerich
SSPIOfferBasic On
SSPIOmitDomain On

require group MYDOMAIN\Subversion

DirectoryIndex index.html

ErrorLog "C:/Repositories//server.log"

LogLevel error

DefaultType text/plain

TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLEngine on

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLPassPhraseDialog builtin
SSLSessionCache "shm:C:/Repositories//ssl_scache"
SSLSessionCacheTimeout 300
SSLMutex default
SSLCertificateFile conf/hostname.cer
SSLCertificateKeyFile conf/hostname.key.insecure

Include conf/httpd-custom.conf

And the httpd-custom.conf which includes the trac configuration:

LoadModule python_module "trac/python/mod_python_so.pyd"
LoadModule authz_user_module bin/

SetHandler mod_python
PythonInterpreter main_interpreter
PythonHandler trac.web.modpython_frontend
PythonOption TracEnvParentDir C:\Trac
PythonOption TracUriRoot /trac

AuthName "Trac"
AuthType Basic

AuthType SSPI
SSPIAuthoritative On
SSPIDomain mydomain
SSPIOfferBasic On
SSPIOmitDomain On

require group MYDOMAIN\Subversion
Everyone in the AD-group "Subversion" is granted access to SVN and trac also. This could be changed of course to allow different groups access. The access levels in trac can be configured from within the admin interface.
I decided to run a https server. To avoid nasty Internet Explorer warnings about certificates and whatnot, you can either disable the checks for certificates, or create a proper certificate if you are lucky and you've got a CA server in your domain. Here's how to create a proper cert using openSSL and a windows CA. Copy them onto your svn server and that's it.

No comments: