On 12 April 2016 at 18:03, Valeri Galtsev <galtsev at kicp.uchicago.edu>
wrote:
>
> On Tue, April 12, 2016 11:57 am, m.roth at 5-cent.us wrote:
> > James Hogarth wrote:
> >> On 12 Apr 2016 16:29, "Scott Robbins" <scottro11 at
gmail.com> wrote:
> >>> On Tue, Apr 12, 2016 at 09:45:17AM +0200, Marcin Trendota
wrote:
> >>> > W dniu 11.04.2016 o 20:07, Scott Robbins pisze:
> > <SNIP>
> >> After various testing I ended up going with the Apache LDAP cache
module
> >> and doing the auth at the Apache level, not system.
> >>
> >> Was far better in performance with the SVN server being hit
> >> fairly hard. I can try and dig out an example configuration if
> >> you would like.
> >>
> >> The bonus here as well is that svn users are separated cleanly
> >> from system users... No reason for a dev to have a shell account
> >> on there ;)
> >
> > I'd be *very* interested in that configuration, if you post it
here, or
> > offlist, to me.
>
> Me too. Please, post for everyone, or add me to off-list message.
>
> Valeri
>
>
>
The CA.crt assumes that is used to sign the LDAPS certs ... replace as
required ;)
This assumes multiple SVN repos under /srv/svn/repos
This includes a local userfile for any quick hacks or system things that
you don't want to hit LDAP for - can be removed.
This also allows fallback from one server to another if need be, note that
it will need to timeout on the first though.
This took a fair chunk of load off of our LDAP server and made checkouts a
far more pleasant experience.
Bonus points if you get your CM to change ordering of LDAP servers between
repos (or other web auth) ;)
_____________________________________________________________
LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/CA.crt
# Enable caching by mod_ldap
LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
<Location /ldap-status>
SSLRequire true
SetHandler ldap-status
</Location>
<Location /repos>
DAV svn
SVNParentPath /srv/svn/repos
</Location>
<Location /repos/repo1>
SSLRequireSSL
AuthName "SVN Repo 1"
AuthType Basic
AuthLDAPBindDN cn=svnbind,cn=systemusers,dc=example,dc=com
AuthLDAPBindPassword plaintextpassword
AuthUserFile /etc/httpd/svnpasswd
AuthLDAPURL "ldaps://ldapserver1.example.com/dc=example,dc=com?uid
ldaps://ldapserver2.example.com/dc=example,dc=com?uid "
AuthBasicProvider file ldap
AuthzLDAPAuthoritative off
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
# READ
<Limit OPTIONS PROPFIND GET REPORT>
Require ldap-group cn=dev,cn=groups,dc=example,dc=com
Require ldap-group cn=qa,cn=groups,dc=example,dc=com
</Limit>
# WRITE
<LimitExcept OPTIONS PROPFIND GET REPORT>
Require ldap-group cn=dev,cn=groups,dc=example,dc=com
</LimitExcept>
</Location>