ubuntu apache2.4 + svn + AD验证

实验环境

• apache2.4
• lubuntu 17.10

安装所需软件

sudo apt-get install apache2 -y
sudo apt-get install subversion -y
sudo apt-get install libapache2-mod-svn libapache2-mod-ldap-userdir libapache2-mod-vhost-ldap

安装完后需要先禁用authnz_ldap，ldap， vhost_ldapd模块

# 禁用掉，后面再apache2 svn模块中加载配置
# 按照网上教程中会导致访问apache2一直等待然后504错误
# log显示[mod_vhost_ldap.c]: lookup failure, retry number #[5]
# 折腾多次找到vhost_ldap.conf中配置指向ldap://127.0.0.1,禁掉该配置就好了
a2dismod authnz_ldap
a2dismod ldap
a2dismod vhost_ldap

修改/etc/apache2/mods-available/dav_svn.conf配置

LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so
LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so

DAV svn
SVNParentPath /svn
SVNListParentPath On
AuthzSVNAccessFile /svn/authz
AuthType Basic
AuthName "Please enter your domain account and password"
AuthBasicProvider ldap
AuthLDAPBindDN "你的域名sAMAccountName即可，不需后缀或DN"
AuthLDAPBindPassword 你的密码，不要要引号
AuthLDAPURL "ldap://youserver:389/你的域根OU（如dc=example,dc=com)?sAMAccountName?sub?(objectClass=*)"

# 没有此参数会导致输入账号和密码一直等待，然后504
# 在stackoverflow上找到答案
LDAPReferrals Off
require valid-user

创建svn目录，配置权限文件authz

sudo mkdir /svn
sudo touch /svn/authz
# 创建一个测试版本库
svnadmin create /svn/test
# 后面添加的文件需要修改权限，否则svn客户端checkout之类操作会报错
sudo chown www-data:www-data /svn -R

** 示例/svn/authz内容如下，具体权限配置搜索subversion权限配置

[aliases]
# joe = /C=XZ/ST=Dessert/L=Snake City/O=Snake Oil, Ltd./OU=Research Institute/CN=Joe Average

[groups]
admin = ldapuser1
# harry_sally_and_joe = harry,sally,&joe

[test:/]
@admin = rw
* = r

重启apache2 在浏览器中测试，或svn客服端测试

sudo service apache2 restart

脚本一键安装

# coding=utf-8
#
# Created on 2018/3/2
#


import os

server = raw_input('请输入域控ip:')
bind_user = raw_input('请输入一个域账号用户绑定LDAP：')
bind_pwd = raw_input('请输入该账号密码:')
bind_dn = raw_input('输入DC(如dc=example,dc=com,dc=cn):')

print(u'正在安装软件包\n')

install_package = '''apt-get install apache2 -y
apt-get install subversion -y
apt-get install libapache2-mod-svn libapache2-mod-ldap-userdir libapache2-mod-vhost-ldap
'''

os.system(install_package)

os.system('''a2dismod authnz_ldap
a2dismod ldap
a2dismod vhost_ldap
rm /etc/apache2/mods-available/dav_svn.conf
mkdir /svn
''')

print(u'配置/etc/apache2/mods-available/dav_svn.conf\n')

conf = '''
LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so
LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so

DAV svn
SVNParentPath /svn
SVNListParentPath On
AuthzSVNAccessFile /svn/authz
AuthType Basic
AuthName "Please enter your domain account and password"
AuthBasicProvider ldap
AuthLDAPBindDN "%s"
AuthLDAPBindPassword %s
AuthLDAPURL "ldap://%s:389/%s?sAMAccountName?sub?(objectClass=*)"
LDAPReferrals Off
require valid-user

''' % (bind_user, bind_pwd, server, bind_dn)
with open('/etc/apache2/mods-available/dav_svn.conf', 'w') as f:
    f.write(conf)

svn_auth = '''
[aliases]
# joe = /C=XZ/ST=Dessert/L=Snake City/O=Snake Oil, Ltd./OU=Research Institute/CN=Joe Average

[groups]
admin = %s
# harry_sally_and_joe = harry,sally,&joe

[test:/]
@admin = rw
* = r

''' % bind_user

with open('/svn/authz', 'w') as f:
    f.write(svn_auth)

print(u'重启服务测试\n')

os.system('service apache2 restart')

print(u'现在运行svnadmin create /svn/test创建第一个测试版本库\n')
print(u'将该文件夹所有者改为www-data:\nchown www-data:www-data /svn/test -R')
os.system('svnadmin create /svn/test')
os.system('chown www-data:www-data /svn/test -R')

print(u'在网页中尝试登陆访问')

另存为svn.py ,并执行

sudo python svn.py

以上脚本仅在本机测试成功
如不成功，具体细节请参考前面步骤