There exists a special version of VisualSVN thats packed with trac. While this install isn't quite as straight-forward as the standard package - whoever has installed python on a production server knows what I'm talking about - once setup it works remarkably well. Except for true single-sign-on.
To address this issue I figured that VisualSVN is just comprised of apache plus some svn modules. So it should be easy to hack in support to auth against an Active Directory. There are quite a few options when it comes to this. I found only one working stable: mod_auth_sspi.
To get the correct modules and dependancies I installed a stand-alone apache (the exact version that ships with VisualSVN + Trac), and went from there. I blatantly copied any missing deps into the visualsvn/bin folder.
Here's my httpd.conf:
#
# This is configuration file for Apache HTTP server which is
# part of VisualSVN Server.
#
# DO NOT EDIT THIS FILE IT WILL BE REGENERATED AUTOMATICALLY BY VISUALSVN SERVER
#
# Contact with VisualSVN Ltd. (support@visualsvn.com) if you have suggestions and
# improvements.
#
ThreadsPerChild 64
MaxMemFree 100
MaxRequestsPerChild 0
ServerRoot "C:/Program Files/VisualSVN Server"
ServerName "hostname.mydomain:443"
ServerSignature Off
ServerTokens Prod
DocumentRoot "htdocs"
PidFile "C:/Repositories//server.pid"
Listen "443"
LoadModule auth_basic_module bin/mod_auth_basic.so
LoadModule auth_digest_module bin/mod_auth_digest.so
LoadModule authn_file_module bin/mod_authn_file.so
LoadModule authn_visualsvn_module bin/mod_authnz_visualsvn.so
LoadModule authz_visualsvn_module bin/mod_authnz_visualsvn.so
LoadModule authz_svn_module bin/mod_authz_svn.so
LoadModule dir_module bin/mod_dir.so
LoadModule deflate_module bin/mod_deflate.so
LoadModule mime_module bin/mod_mime.so
LoadModule setenvif_module bin/mod_setenvif.so
LoadModule dav_module bin/mod_dav.so
LoadModule dav_svn_module bin/mod_dav_svn.so
LoadModule ssl_module bin/mod_ssl.so
LoadModule sspi_auth_module bin/mod_auth_sspi.so
Options FollowSymLinks
AllowOverride None
DAV svn
SVNListParentPath on
SVNParentPath "C:/Repositories/"
SVNIndexXSLT "/svnindex.xsl"
SVNPathAuthz on
AuthName "Subversion Repositories"
AuthType Basic
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain jerich
SSPIOfferBasic On
SSPIOmitDomain On
require group MYDOMAIN\Subversion
DirectoryIndex index.html
ErrorLog "C:/Repositories//server.log"
LogLevel error
DefaultType text/plain
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLEngine on
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLPassPhraseDialog builtin
SSLSessionCache "shm:C:/Repositories//ssl_scache"
SSLSessionCacheTimeout 300
SSLMutex default
SSLCertificateFile conf/hostname.cer
SSLCertificateKeyFile conf/hostname.key.insecure
Include conf/httpd-custom.conf
And the httpd-custom.conf which includes the trac configuration:
LoadModule python_module "trac/python/mod_python_so.pyd"Everyone in the AD-group "Subversion" is granted access to SVN and trac also. This could be changed of course to allow different groups access. The access levels in trac can be configured from within the admin interface.
LoadModule authz_user_module bin/mod_authz_user.so
SetHandler mod_python
PythonInterpreter main_interpreter
PythonHandler trac.web.modpython_frontend
PythonOption TracEnvParentDir C:\Trac
PythonOption TracUriRoot /trac
AuthName "Trac"
AuthType Basic
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain mydomain
SSPIOfferBasic On
SSPIOmitDomain On
require group MYDOMAIN\Subversion
I decided to run a https server. To avoid nasty Internet Explorer warnings about certificates and whatnot, you can either disable the checks for certificates, or create a proper certificate if you are lucky and you've got a CA server in your domain. Here's how to create a proper cert using openSSL and a windows CA. Copy them onto your svn server and that's it.
No comments:
Post a Comment