Lots to configure. This step is only the Apache configs. There are files needed to make the configs work. That’s the next post.
Apache SVN Root
You obviously need a base directory. Since CentOS ships with SELinux enabled, you have to be sure the context of the new directory is correct. If you put it under /var/www, my recollection is the selinux contexts are assigned auto magically.
mkdir /var/www/svn ls -lhZ /var/www/svn
You need to move the default instance files to another folder and change the appropriate httpd.conf directives. This should be easy.
mkdir /var/www/default80 mkdir /var/www/default80/cgi-bin mkdir /var/www/default80/http ls -lhZ /var/www/default80
Double-check your permissions! Check your SELinux contexts!
Apache LDAP Config
To be 100% clear, Kerberos provides password authentication. LDAP via freeIPA’s 389DS instance provides access permissions.
You can do SVN without LDAP, but that’s kind of awkward as everyone in the freeIPA domain with a valid account can login. Controlling access with Subversion’s flat file will be kind of tough for many to administer without LDAP.
Be sure to keep the permissions quite tight. Your apache user needs read access, and that’s it.
Apache SVN Directives
There is a bunch of SSL stuff to setup including the Listen directive before you get to the VirtualHost. Your default SSL config shipped with the package should have sensible defaults. It should be pretty easy to get the keys and cert path adjusted.
Here is the start of the Apache SVN path.
<Location /svn> SSLRequireSSL DAV svn SVNParentPath /var/www/svn RedirectMatch ^(/svn)$ $1/ SVNListParentPath on
A couple of things worth mentioning.
You need all of the stanzas. RedirectMatch directive is important. It’s important the regex matches the Location directive.
The Auth portion of the Location directive.
AuthType Kerberos AuthName "Domain Subversion Repositories" Krb5Keytab /etc/httpd/keytabs/kwkla3.keytab #Use your freeIPA domain name. KrbAuthRealms MyDomain.foo KrbServiceName HTTP #More to follow! LDAP access comes next
The authentication directives are in place. However, lots of things missing. We’ll need to get files from your freeIPA server. The list of things we need in no particular order.
- LDAP permissions directive.
- CA certificate from the freeIPA instance.
- A signed host certificate for the Apache host.
- A private key for the Apache host.
- An HTTP Kerberos principal.