阿里云centos 6.5搭建svn + httpd + openldap环境

阅读更多

svn 代码管理软件
httpd 提供http服务,可以将svn托管的静态文件通过http服务器显示
openldap 应该是ldap的开源实现,一种轻量级目录访问协议.用于查询多余增删改的数据服务,比如企业的账户管理系统.

非常感谢这两篇文件:
subversion_apache_ldap配置.pdf (见附件,看了很多遍才有思路)
征服 Apache + SVN + LDAP http://snowolf.iteye.com/blog/892001 (写得很简洁)
htppd ldap_auth官方教程
http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html

一. 准备环境
阿里云默认没有防火墙配置文件

# 生成防火墙配置
# cd /etc/sysconfig
# iptables -P OUTPUT ACCEPT
# service iptables save

# vim iptables

# Generated by iptables-save v1.4.7 on Fri Feb 20 16:28:15 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Fri Feb 20 16:28:15 2015

# service iptables restart

二. 安装相关软件

# 安装 httpd, subversion, openldap
# yum -y install httpd
# yum -y install subversion
# yum -y install mod_dav_svn
# yum -y install openldap-*

# 启动http服务, 后访问 http://123.57.132.140/
# service httpd start

三. svn + httpd
创建svn库test, document, practice

# 预期文件目录
# svn库
/var/highill_com/svn/repository/test
/var/highill_com/svn/repository/document
/var/highill_com/svn/repository/practice

# svn配置
/var/highill_com/svn/conf/passwd (使用ldap时可以删除)
/var/highill_com/svn/conf/authz

# cd /var
# mkdir highill_com
# cd highill_com/
# mkdir svn
# cd svn
# mkdir conf
# mkdir repository

# svn 库 目录
/var/highill_com/svn/repository
# svn 配置目录
/var/highill_com/svn/conf

# svnadmin create test
# svnadmin create document
# svnadmin create practice
# svn 目录授权给 apache
# chown -R apache.apache /var/highill_com/svn/repository/
# 查看权限
# ll -h

# 设计 d1, d2为 developer组, 读写权限;   vi, v2 为viewer组, 只读权限
# 先用 htpasswd 生成用户, 密码到passwd文件

# cd /var/highill_com/svn/conf/
# htpasswd -bc passwd d1 d1
# htpasswd -b passwd d2 d2
# htpasswd -b passwd v1 v1
# htpasswd -b passwd v2 v2

# 可以使用 vim passwd查看

# 从 任一svn 库复制 权限配置文件

# cp /var/highill_com/svn/repository/test/conf/authz /var/highill_com/svn/conf/authz
# vim /var/highill_com/svn/conf/authz

[groups]
# harry_and_sally = harry,sally
# harry_sally_and_joe = harry,sally,&joe
developer = d1, d2
viewer = v1, v2

# [/foo/bar]
# harry = rw
# &joe = r
# * =
[/]
@developer = rw
@viewer = r

# svn 方面配置完毕
# 开始为httpd 配置svn

# cd /etc/httpd/conf.d/
# cp subversion.conf subversion_highill_com.conf

#subversion_highill_com.conf 可以新建也可以随便拷贝conf.d下的配置文件
# 编辑配置文件

# vim subversion_highill_com.conf

    DAV svn
    SVNParentPath /var/highill_com/svn/repository
    # SVNPath /var/highill_com/svn/repositiry/test

    SVNListParentPath on
    AuthType Basic
    AuthName "highill.com SVN Auth"
    AuthUserFile /var/highill_com/svn/conf/passwd
    AuthSVNAccessFile /var/highill_com/svn/conf/authz
    Require valid-user

    Allow from all

编辑完毕后保存,重启httpd服务即可测试 svn + httpd

# service httpd restart

http://123.57.132.140/svn/test
http://123.57.132.140/svn/document
http://123.57.132.140/svn/practice
使用 svn 客户端测试 d1, d2 更新,提交权限; v1, v2更新权限, 并且不能提交


四. svn + httpd + ldap
# 开始 配置ldap
# 复制配置文件

# cd /etc/openldap/
# cp /usr/share/openldap-servers/slapd.conf.obsolete  /etc/openldap/slapd.conf

# vim slapd.conf

by dn.exact="cn=Manager,dc=ldap,dc=highill,dc=com" read

database        bdb
suffix          "dc=ldap,dc=highill,dc=com"
rootdn          "cn=Manager,dc=ldap,dc=highill,dc=com"
rootpw {SMD5}7JfRKPmB62js5N7Qbbv8y8425TQ=

其中 rootpw 使用  slappasswd 生成 (明文hi123), 支持{CRYPT}, {MD5}, {SMD5}, {SSHA}, and {SHA} . 其中{SSHA}为默认配置

# slappasswd -h{SMD5}
New password:
Re-enter new password:
{SMD5}7JfRKPmB62js5N7Qbbv8y8425TQ=

复制数据文件

# rm -fr /var/lib/ldap/*
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap.ldap /var/lib/ldap

# 重新生成配置文件
# slaptest 生成配置文件经常报错, 所以多试了几次, 主要是 chown授权

# rm -fr /etc/openldap/slapd.d/*

# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
# chown -R ldap.ldap /var/lib/ldap
# chown -R ldap.ldap /etc/openldap/*
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

# service slapd start
# service slapd restart

# 编辑svn_grouptest_highill_com.ldif 文件 生成 数据

dn: dc=ldap,dc=highill,dc=com
objectclass: top
objectclass: dcobject
objectclass: organization
dc: ldap
o: highill.com ldap service.

dn: ou=users,dc=ldap,dc=highill,dc=com
ou: users
objectclass: top
objectclass: organizationalUnit

dn: ou=group,dc=ldap,dc=highill,dc=com
ou: group
objectclass: top
objectclass: organizationalUnit


dn: cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com
cn: svngroup
gidNumber: 1001
objectClass: posixGroup

dn: cn=developer,cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com
cn: developer
gidNumber: 1002
objectClass: posixGroup
memberUid: d1
memberUid: d2

dn: cn=viewer,cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com
cn: viewer
gidNumber: 1003
objectClass: posixGroup
memberUid: v1
memberUid: v2

dn: uid=d1,ou=users,dc=ldap,dc=highill,dc=com
cn: develope 1
uid: d1
uidNumber: 1002001
gidNumber: 1002
homeDirectory: /home/ldap
userPassword: {SSHA}ZHFoDRFuG5aEnUJKrLdXBW59JoR9ifvn
loginShell: /bin/nologin
objectClass: posixAccount
objectClass: account

dn: uid=d2,ou=users,dc=ldap,dc=highill,dc=com
cn: develope 2
uid: d2
uidNumber: 1002002
gidNumber: 1002
homeDirectory: /home/ldap
userPassword: {SSHA}+YCMzkc+4/Tzw650wK4q9TAXotC0UYxU
loginShell: /bin/nologin
objectClass: posixAccount
objectClass: account

dn: uid=v1,ou=users,dc=ldap,dc=highill,dc=com
cn: view 1
uid: v1
uidNumber: 1003001
gidNumber: 1003
homeDirectory: /home/ldap
userPassword: {SMD5}Exs7tBa5qdCzkODLsHgY5k55OY0=
loginShell: /bin/nologin
objectClass: posixAccount
objectClass: account

dn: uid=v2,ou=users,dc=ldap,dc=highill,dc=com
cn: view 2
uid: v2
uidNumber: 1003002
gidNumber: 1003
homeDirectory: /home/ldap
userPassword: {SMD5}6L/bCHwMmSpk0iAbaO0h+Hbb5+E=
loginShell: /bin/nologin
objectClass: posixAccount
objectClass: account

# 上传数据

# ldapadd -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w hi123 -f svn_grouptest_highill_com.ldif

上传成功后也可以用命令查询测试:

# ldapsearch -x -b "dc=ldap,dc=highill,dc=com"
# ldapsearch -x -b "ou=users,dc=ldap,dc=highill,dc=com"
# ldapsearch -x -b "ou=group,dc=ldap,dc=highill,dc=com"
# ldapsearch -x -b "cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com"
# ldapsearch -x -b "cn=developer,cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com"
# ldapsearch -x -b "cn=viewer,cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com"

# ldapsearch -h 123.57.132.140 -p 389 -x -b "dc=ldap,dc=highill,dc=com"
# ldapsearch -h 123.57.132.140 -p 389 -x -b "cn=developer,cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com"

# 编辑 httpd 配置文件

# vim /etc/httpd/conf.d/subversion_highill_com.conf

    DAV svn
    SVNParentPath /var/highill_com/svn/repository
    # SVNPath /var/highill_com/svn/repositiry/test

    SVNListParentPath on
    AuthType Basic
    AuthName "highill.com SVN Auth"
    # AuthUserFile /var/highill_com/svn/conf/passwd

    AuthBasicProvider ldap
    AuthLDAPBindDN "cn=Manager,dc=ldap,dc=highill,dc=com"
    AuthLDAPBindPassword hi123
    AuthLDAPUrl "ldap://123.57.132.140:389/ou=users,dc=ldap,dc=highill,dc=com?uid?sub?(objectClass=posixAccount)"

    Require ldap-group cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com
    AuthLDAPGroupAttribute memberUid
    AuthLDAPGroupAttributeIsDN on

    AuthzSVNAccessFile /var/highill_com/svn/conf/authz
    Require valid-user

    Allow from all

最后 设置httpd, ldap开机启动,并重启服务就可以进行测试了

# chkconfig httpd on
# chkconfig slapd on
# service httpd restart
# service slapd restart

# authz 文件需要配置 用户名,以及对应的组, ldap中的组只是验证作用, 不支持和svn 权限组对应.

# 如果 ldap 导入错误可以用这些命令删除条目

# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "uid=d1,ou=users,dc=ldap,dc=highill,dc=com"
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "uid=d2,ou=users,dc=ldap,dc=highill,dc=com"
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "uid=v1,ou=users,dc=ldap,dc=highill,dc=com"
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "uid=v2,ou=users,dc=ldap,dc=highill,dc=com"
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "cn=viewer,cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com" 
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "cn=developer,cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com" 
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com" 
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "ou=users,dc=ldap,dc=highill,dc=com"
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "ou=group,dc=ldap,dc=highill,dc=com"
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "dc=ldap,dc=highill,dc=com"

总结一下, svn + httpd主要是可以多个svn库进行统一权限管理,使用openldap主要是替换passwd文件,这样账户信息可以和其它系统统一.

• svn.zip (391.3 KB)
• 下载次数: 2