Managing Apache and Subversion Through Active Directory (Part 1 – Authentication)

In my previous article, Installing Subversion on RHEL5, we went over how to install the Subversion server and how to make it accessible through the Apache web server.  This solution is great but leaves us without any user authorization and authentication.  For most Subversion instances these are features that we will want to have.  We have many choices for our A/A solution and I have decided to integrate my example repository with a Microsoft Active Directory (AD) system running on Windows 2003.  This, I feel, is probably the most commonly desired scenario for enterprise shops although a non-AD based LDAP and Kerberos system may also be very popular.  We will start by address authentication via Kerberos in this article.

In addition to using Kerberos for secure authentication, we are also switching from using plain HTTP as our transport to HTTP over SSL so be aware that after applying the Apache configuration file here that you will need to access your Subversion directory with HTTPS rather than HTTP and that, unless otherwise configured, you will need to open your firewall both locally and remotely to allow port 443 traffic out instead of (or in addition to) port 80 traffic.

Installing Necessary Components

As with anything else in the Red Hat world, most of the heavy lifting is done by our friends at Red Hat engineering and we just need to leverage what they have already done for us.  We need to install the module for SSL transport and Kerberos authentication in Apache:

yum -y install mod_auth_kerb

This will automatically install the file /etc/httpd/conf.d/auth_kerb.conf which will take care of loading the Kerberos module into Apache and will provide a sample configuration if you want to learn more about Kerberos authentication in Apache.

Setting Up the Apache KeyTab File

Now we need to set up our Apache to Kerberos authentication table.  The Red Hat standard for this file is to be located at /etc/httpd/conf/keytab although you control its location through your Apache configuration.  We will not deviate from the standard here.

This file needs to contain

echo HTTP/[email protected] >> /etc/httpd/conf/keytab
chown apache.apache /etc/httpd/conf/keytab

Setting Access Control

The traditional examples will generally tell you to use the .htaccess file to manage your authentication mechanisms.  For most cases it is better to avoid the use of the .htaccess file and to switch to configuring these details within your <Location> section in your Apache configuration files.  This is better for performance reasons as well as for ease of security management.  Now you only need to worry about specifying your security information in a single location and Apache need not traverse the entire directory structure seeking out .htaccess files for each access attempt.

I use the file /etc/httpd/conf.d/subversion.conf for the configuration of my Subversion repository.  Here are its contents:

   <Location /svn>
     DAV svn
     SVNPath /var/projects/svn/
     AuthName "Active Directory Login"
     AuthType Kerberos
     Krb5Keytab /etc/httpd/conf/keytab
     KrbAuthRealm EXAMPLE.COM
     KrbMethodNegotiate Off
     KrbSaveCredentials off
     KrbVerifyKDC off
     Require valid-user
     SSLRequireSSL
   </Location>

Configuration of Kerberos

Kerberos is configured in Red Hat Linux in the /etc/krb5.conf file.  Obviously replace EXAMPLE.COM and ad.example.com with the name of your Domain and your KDC.  This file should have been created for you using almost exactly these settings by the RPM installer so there is very little here that needs to be changed.

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 EXAMPLE.COM = {
  kdc = ad.example.com:88
 }

[domain_realm]
 example.com = EXAMPLE.COM
 .example.com = EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Enable HTTPS Access Through Firewall

Use the Red Hat management tool to enable HTTPS connection through your host firewall.

system-config-securitylevel-tui

Restart Apache

Now, all that we need to do is to restart the web server to have it pick up the changes that we have made and voila, Kerberos authentication to Active Directory should be working.

/etc/init.d/httpd restart

Testing Your Connection

In order to test your connection you can use a web browser or use the Subversion command line client as below:

svn list https://localhost/svn/

Error Notes:

If you set KrbMethodNegotiate On then, in my experience, you will see Firefox work just fine but Internet Explorer (IE) and Chrome will fail with a 500 error.  In the logs I discovered the following entry:

gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (Unknown code krb5 213)

References:

Providing Active Directory Authentication via Kerberos Procol in Apache by Alex Yu, MVP, Microsoft Support

Join the Conversation

1 Comment

  1. I like this solution. I have wanted to try out Kerberos, but I could never find the time to figure it out. This is a really solid solution for authenticating against ActiveDirectory from a Linux Subversion server. I will have to try this out as we are in the process of relocating and reconfiguring our Subversion server at work.

    Right now its on a Windows server that I configured with mod_auth_sspi. That works pretty nicely, but I am not overly keen on Windows as a server platform.

    My complete guide to taking a bare Windows server up to a working Apache SSL ActiveDirectory Subversion server is at http://concise-software.blogspot.com/2009/02/instant-windows-svn-server-with-ssl-and.html on my blog.

Leave a comment