FreeIPA, Kerberos, LDAP, Subversion Stack Part 2: Apache Kerberos Setup

Lots to configure.  This step is only the Apache configs.  There are files needed to make the configs work.  That’s the next post.

Apache SVN Root

You obviously need a base directory.  Since CentOS ships with SELinux enabled, you have to be sure the context of the new directory is correct. If you put it under /var/www, my recollection is the selinux contexts are assigned auto magically.

mkdir /var/www/svn

ls -lhZ /var/www/svn

You need to move the default instance files to another folder and change the appropriate httpd.conf directives.  This should be easy.

mkdir /var/www/default80
mkdir /var/www/default80/cgi-bin
mkdir /var/www/default80/http
 
ls -lhZ /var/www/default80

Double-check your permissions!  Check your SELinux contexts!

Apache LDAP Config

To be 100% clear, Kerberos provides password authentication.  LDAP via freeIPA’s 389DS instance provides access permissions.

You can do SVN without LDAP, but that’s kind of awkward as everyone in the freeIPA domain with a valid account can login.  Controlling access with Subversion’s flat file will be kind of tough for many to administer without LDAP.

mkdir /etc/httpd/certs

Be sure to keep the permissions quite tight.  Your apache user needs read access, and that’s it.

Apache SVN Directives

There is a bunch of SSL stuff to setup including the Listen directive before you get to the VirtualHost.  Your default SSL config shipped with the package should have sensible defaults.  It should be pretty easy to get the keys and cert path adjusted.

Here is the start of the Apache SVN path.

<Location /svn>
 SSLRequireSSL
 DAV svn
 SVNParentPath /var/www/svn
 RedirectMatch ^(/svn)$ $1/
 SVNListParentPath on

A couple of things worth mentioning.

You need all of the stanzas.  RedirectMatch directive is important.  It’s important the regex matches the Location directive.

The Auth portion of the Location directive.

AuthType Kerberos
AuthName "Domain Subversion Repositories"
Krb5Keytab /etc/httpd/keytabs/kwkla3.keytab
#Use your freeIPA domain name.
KrbAuthRealms MyDomain.foo
KrbServiceName HTTP
#More to follow! LDAP access comes next

The authentication directives are in place.  However, lots of things missing.  We’ll need to get files from your freeIPA server. The list of things we need in no particular order.

  • LDAP permissions directive.
  • CA certificate from the freeIPA instance.
  • A signed host certificate for the Apache host.
  • A private key for the Apache host.
  • An HTTP Kerberos principal.
  • TBD