FreeIPA, Kerberos, LDAP, Subversion Stack Part 1: Intro

This one took me a long while to figure out.  I’m using CentOS 7.x.  Everything will be specific to the “Redhat way” of doing things.

The bigger goal is having clear roles for hosts and a solution that can scale elegantly with good security bells and whistles. FreeIPA hosts authenticate, SVN servers host files.  As long as the subversion servers have enough disk space and RAM, this should scale elegantly.

This design can even fail over pretty elegantly as long as a second server is kept in sync with the primary.   Alternately, you can get into using some kind of shared storage and run a primary/secondary very easily.

Before you go looking for the configs, please understand the following:

  1. What this solution provides is front-end authentication to a Subversion repository.
  2. What this solution does NOT provide is permissions the flat file directive AuthzSVNAccessFile addresses.
  3. It’s uncertain to me how the authzsvnaccessfile interacts with an LDAP + Kerberos setup.  It seems like authz_svn_module and LDAP and Kerberos are not well documented.  Authz_svn_module and Kerberos + LDAP are is probably another big chunk of time to figure out.  Tons of how-tos for using Apache’s flat file as user auth.   It may be the case the subversion flat file auth needs to move to the Apache config.  It’s not terrible if that’s the case as it is only a config reload for Apache.
  4. It’s not an Active Directory connection.  It’s not a matter of making some minor changes to get it to work with Active Directory.

What the final solution will do:

  • A basic functioning Subversion server with centrally hosted users.
  • Kerberos authentication from FreeIPA host.
  • Basic LDAP permission control at login.
  • Encrypted (ssl) communication between your Apache host and FreeIPA. Kerberos handling the authentication means user passwords aren’t in the clear anywhere.
  • Encrypted (ssl) communication between subversion clients and the subversion server.

What you need before you get started:

  • Root access to the FreeIPA server to grep LDAP logs.
  • A functioning FreeIPA server with enough ports open to your Apache host that Kerberos and LDAP over SSL will work.
  • The Apache server already joined to the freeIPA server.
  • An LDAP browser already configured to login via LDAPS:/  I like jxplorer.
  • Some awareness of how Kerberos works.  I don’t pretend to know it well, but I know there’s a key table that needs reading/writing and very accurate time is very important.  I will probably have a couple of unnecessary steps because I don’t fully comprehend the Kerberos way.
  • Apache server and Subversion, LDAP, Kerberos modules enabled.  I tried the GSSAPI module and could not get it working.
  • The Certificate Authority’s certificate from the FreeIPA install.
  • The Certificate Authority’s private key.
  • A private key for the Apache server. The certificate for the host from freeIPA.
  • Port 443 available on the Apache host for Apache’s SSL process.  I confined mine to localhost.
  • Another port open and listening for your subversion server.

I think that’s enough for this post.  I’ll walk through some of those requirements in later posts.


Stay tuned!