FreeIPA, Kerberos, LDAP, Subversion Stack Part 4: Tighten Apache

You should have a Subversion repo to which you can successfully login and browse anywhere using a recent vintage of the popular TortoiseSVN on Windows.

The last step is to tighten Apache access a bit.  This is where LDAP really shines.

 Require valid-user
 Require ldap-attribute memberOf=cn=subversion_users,cn=groups,cn=accounts,dc=mydomain,dc=la
 Require ip
 Require ip

The LDAP stuff might be new for some, so that should get you started.

The Subversion documentation warns about using path-based authorization, but then provides instructions how to do it.  Ideally, Apache’s LDAP auth should be enough.

NetworkManager and the Vanishing /etc/resolv.conf

I rebooted a Fedora 25 server to find the network interface did not come up.  Using the old “ifup eth0” returned an error.

 /etc/resolv.conf "no such file or directory"

Huh?  ls /etc/resolv.conf returns /etc/resolv.conf

It turns out NetworkManager replaces /etc/resolv.conf with a symbolic link to a NetworkManager directory.

Since NetworkManager is about as useful as lipstick on a pig with a server, it has to be removed. When you remove NetworkManager, it leaves /etc/resolv.conf as a dead symbolic link.  Which, you don’t see without ls -lh /etc/resolv.conf.

When systemd’s init tries to bring up the interface without NetworkManager, there’s no /etc/resolv.conf there to write DNS information and therefore the interface never comes up.

TL;DR The three commands below fix it.

rm /etc/resolv.conf;  ifdown eth0; ifup eth0;