svn 代码管理软件
httpd 提供http服务,可以将svn托管的静态文件通过http服务器显示
openldap 应该是ldap的开源实现,一种轻量级目录访问协议.用于查询多余增删改的数据服务,比如企业的账户管理系统.
非常感谢这两篇文件:
subversion_apache_ldap配置.pdf (见附件,看了很多遍才有思路)
征服 Apache + SVN + LDAP
http://snowolf.iteye.com/blog/892001 (写得很简洁)
htppd ldap_auth官方教程
http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html
一. 准备环境
阿里云默认没有防火墙配置文件
# 生成防火墙配置
# cd /etc/sysconfig
# iptables -P OUTPUT ACCEPT
# service iptables save
# vim iptables
# Generated by iptables-save v1.4.7 on Fri Feb 20 16:28:15 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Fri Feb 20 16:28:15 2015
# service iptables restart
二. 安装相关软件
# 安装 httpd, subversion, openldap
# yum -y install httpd
# yum -y install subversion
# yum -y install mod_dav_svn
# yum -y install openldap-*
# 启动http服务, 后访问 http://123.57.132.140/
# service httpd start
三. svn + httpd
创建svn库test, document, practice
# 预期文件目录
# svn库
/var/highill_com/svn/repository/test
/var/highill_com/svn/repository/document
/var/highill_com/svn/repository/practice
# svn配置
/var/highill_com/svn/conf/passwd (使用ldap时可以删除)
/var/highill_com/svn/conf/authz
# cd /var
# mkdir highill_com
# cd highill_com/
# mkdir svn
# cd svn
# mkdir conf
# mkdir repository
# svn 库 目录
/var/highill_com/svn/repository
# svn 配置目录
/var/highill_com/svn/conf
# svnadmin create test
# svnadmin create document
# svnadmin create practice
# svn 目录授权给 apache
# chown -R apache.apache /var/highill_com/svn/repository/
# 查看权限
# ll -h
# 设计 d1, d2为 developer组, 读写权限; vi, v2 为viewer组, 只读权限
# 先用 htpasswd 生成用户, 密码到passwd文件
# cd /var/highill_com/svn/conf/
# htpasswd -bc passwd d1 d1
# htpasswd -b passwd d2 d2
# htpasswd -b passwd v1 v1
# htpasswd -b passwd v2 v2
# 可以使用 vim passwd查看
# 从 任一svn 库复制 权限配置文件
# cp /var/highill_com/svn/repository/test/conf/authz /var/highill_com/svn/conf/authz
# vim /var/highill_com/svn/conf/authz
[groups]
# harry_and_sally = harry,sally
# harry_sally_and_joe = harry,sally,&joe
developer = d1, d2
viewer = v1, v2
# [/foo/bar]
# harry = rw
# &joe = r
# * =
[/]
@developer = rw
@viewer = r
# svn 方面配置完毕
# 开始为httpd 配置svn
# cd /etc/httpd/conf.d/
# cp subversion.conf subversion_highill_com.conf
#subversion_highill_com.conf 可以新建也可以随便拷贝conf.d下的配置文件
# 编辑配置文件
# vim subversion_highill_com.conf
<Location /svn>
DAV svn
SVNParentPath /var/highill_com/svn/repository
# SVNPath /var/highill_com/svn/repositiry/test
SVNListParentPath on
AuthType Basic
AuthName "highill.com SVN Auth"
AuthUserFile /var/highill_com/svn/conf/passwd
AuthSVNAccessFile /var/highill_com/svn/conf/authz
Require valid-user
Allow from all
</Location>
编辑完毕后保存,重启httpd服务即可测试 svn + httpd
# service httpd restart
http://123.57.132.140/svn/test
http://123.57.132.140/svn/document
http://123.57.132.140/svn/practice
使用 svn 客户端测试 d1, d2 更新,提交权限; v1, v2更新权限, 并且不能提交
四. svn + httpd + ldap
# 开始 配置ldap
# 复制配置文件
# cd /etc/openldap/
# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
# vim slapd.conf
by dn.exact="cn=Manager,dc=ldap,dc=highill,dc=com" read
database bdb
suffix "dc=ldap,dc=highill,dc=com"
rootdn "cn=Manager,dc=ldap,dc=highill,dc=com"
rootpw {SMD5}7JfRKPmB62js5N7Qbbv8y8425TQ=
其中 rootpw 使用 slappasswd 生成 (明文hi123), 支持{CRYPT}, {MD5}, {SMD5}, {SSHA}, and {SHA} . 其中{SSHA}为默认配置
# slappasswd -h{SMD5}
New password:
Re-enter new password:
{SMD5}7JfRKPmB62js5N7Qbbv8y8425TQ=
复制数据文件
# rm -fr /var/lib/ldap/*
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap.ldap /var/lib/ldap
# 重新生成配置文件
# slaptest 生成配置文件经常报错, 所以多试了几次, 主要是 chown授权
# rm -fr /etc/openldap/slapd.d/*
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
# chown -R ldap.ldap /var/lib/ldap
# chown -R ldap.ldap /etc/openldap/*
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
# service slapd start
# service slapd restart
# 编辑svn_grouptest_highill_com.ldif 文件 生成 数据
dn: dc=ldap,dc=highill,dc=com
objectclass: top
objectclass: dcobject
objectclass: organization
dc: ldap
o: highill.com ldap service.
dn: ou=users,dc=ldap,dc=highill,dc=com
ou: users
objectclass: top
objectclass: organizationalUnit
dn: ou=group,dc=ldap,dc=highill,dc=com
ou: group
objectclass: top
objectclass: organizationalUnit
dn: cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com
cn: svngroup
gidNumber: 1001
objectClass: posixGroup
dn: cn=developer,cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com
cn: developer
gidNumber: 1002
objectClass: posixGroup
memberUid: d1
memberUid: d2
dn: cn=viewer,cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com
cn: viewer
gidNumber: 1003
objectClass: posixGroup
memberUid: v1
memberUid: v2
dn: uid=d1,ou=users,dc=ldap,dc=highill,dc=com
cn: develope 1
uid: d1
uidNumber: 1002001
gidNumber: 1002
homeDirectory: /home/ldap
userPassword: {SSHA}ZHFoDRFuG5aEnUJKrLdXBW59JoR9ifvn
loginShell: /bin/nologin
objectClass: posixAccount
objectClass: account
dn: uid=d2,ou=users,dc=ldap,dc=highill,dc=com
cn: develope 2
uid: d2
uidNumber: 1002002
gidNumber: 1002
homeDirectory: /home/ldap
userPassword: {SSHA}+YCMzkc+4/Tzw650wK4q9TAXotC0UYxU
loginShell: /bin/nologin
objectClass: posixAccount
objectClass: account
dn: uid=v1,ou=users,dc=ldap,dc=highill,dc=com
cn: view 1
uid: v1
uidNumber: 1003001
gidNumber: 1003
homeDirectory: /home/ldap
userPassword: {SMD5}Exs7tBa5qdCzkODLsHgY5k55OY0=
loginShell: /bin/nologin
objectClass: posixAccount
objectClass: account
dn: uid=v2,ou=users,dc=ldap,dc=highill,dc=com
cn: view 2
uid: v2
uidNumber: 1003002
gidNumber: 1003
homeDirectory: /home/ldap
userPassword: {SMD5}6L/bCHwMmSpk0iAbaO0h+Hbb5+E=
loginShell: /bin/nologin
objectClass: posixAccount
objectClass: account
# 上传数据
# ldapadd -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w hi123 -f svn_grouptest_highill_com.ldif
上传成功后也可以用命令查询测试:
# ldapsearch -x -b "dc=ldap,dc=highill,dc=com"
# ldapsearch -x -b "ou=users,dc=ldap,dc=highill,dc=com"
# ldapsearch -x -b "ou=group,dc=ldap,dc=highill,dc=com"
# ldapsearch -x -b "cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com"
# ldapsearch -x -b "cn=developer,cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com"
# ldapsearch -x -b "cn=viewer,cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com"
# ldapsearch -h 123.57.132.140 -p 389 -x -b "dc=ldap,dc=highill,dc=com"
# ldapsearch -h 123.57.132.140 -p 389 -x -b "cn=developer,cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com"
# 编辑 httpd 配置文件
# vim /etc/httpd/conf.d/subversion_highill_com.conf
<Location /svn>
DAV svn
SVNParentPath /var/highill_com/svn/repository
# SVNPath /var/highill_com/svn/repositiry/test
SVNListParentPath on
AuthType Basic
AuthName "highill.com SVN Auth"
# AuthUserFile /var/highill_com/svn/conf/passwd
AuthBasicProvider ldap
AuthLDAPBindDN "cn=Manager,dc=ldap,dc=highill,dc=com"
AuthLDAPBindPassword hi123
AuthLDAPUrl "ldap://123.57.132.140:389/ou=users,dc=ldap,dc=highill,dc=com?uid?sub?(objectClass=posixAccount)"
Require ldap-group cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN on
AuthzSVNAccessFile /var/highill_com/svn/conf/authz
Require valid-user
Allow from all
</Location>
最后 设置httpd, ldap开机启动,并重启服务就可以进行测试了
# chkconfig httpd on
# chkconfig slapd on
# service httpd restart
# service slapd restart
# authz 文件需要配置 用户名,以及对应的组, ldap中的组只是验证作用, 不支持和svn 权限组对应.
# 如果 ldap 导入错误可以用这些命令删除条目
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "uid=d1,ou=users,dc=ldap,dc=highill,dc=com"
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "uid=d2,ou=users,dc=ldap,dc=highill,dc=com"
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "uid=v1,ou=users,dc=ldap,dc=highill,dc=com"
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "uid=v2,ou=users,dc=ldap,dc=highill,dc=com"
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "cn=viewer,cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com"
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "cn=developer,cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com"
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "cn=svngroup,ou=group,dc=ldap,dc=highill,dc=com"
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "ou=users,dc=ldap,dc=highill,dc=com"
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "ou=group,dc=ldap,dc=highill,dc=com"
# ldapdelete -x -D "cn=Manager,dc=ldap,dc=highill,dc=com" -w lidongxu "dc=ldap,dc=highill,dc=com"
总结一下, svn + httpd主要是可以多个svn库进行统一权限管理,使用openldap主要是替换passwd文件,这样账户信息可以和其它系统统一.