Configuring COLLABNET Subversion with Active Directory

转载 2013年12月05日 18:42:16
Collabnet LDAP Settings

Collabnet LDAP Settings

If you need to host Subversion in a Windows Server environment, it is always desirable to integrate subversion with Active Directory. For Windows Administrators it is better to use COLLABNET Subversion Edge as it comes with all-in-one installer including Apache, Subversion and a beautiful web console which simplifies tasks like managing repositories, users and SVN services using GUI.

Concept


On receiving authentication request from an SVN client, Subversion gets user information validated from Active Directory. The protocol used is LDAP, which stands for Lightweight Directory Access Protocol. Subversion acts as a LDAP Client and Active Directory is the LDAP Server.

An LDAP Client has to authenticate itself to Active Directory before sending any LDAP query. This is called LDAP Bind. LDAP Client passes a valid User DN and Password to Active Directory. Only if Bind operation is successful, LDAP client can request for additional information like list of users in an OU, User Properties like email, department etc. Bind User is also required to query for Active Directory groups and their memberships. This however also depends that whether the Bind User has required rights to that information in Active Directory. Usually, by default, “Authenticated Users” group has Read Access on every OU, users and groups. So no special permission needs to be configured on any OU. However, In a locked-down Active Directory, authenticated user ACEs are removed from the default Active Directory containers, including the Users, Systems, and OUs where User and Computer objects are stored. In such case, some permission needs to be configured.

This post only focuses on identifying required LDAP parameters from Active Directory, configuring them in COLLABNET Subversion Edge, testing and troubleshooting basic LDAP connectivity with Active Directory in non-locked-down mode. For more details on LDAP authentication protocol flow and how to prepare Active Directory in locked-down-mode for LDAP Authentication, refer post Preparing Locked-Down Active Directory for LDAP Authentication”.

Identifying DN for LDAP Bind User and Base DN


Base DN is basically the starting or entry point in Active Directory tree where operations like LDAPSearch will be carried out. Generally Base DN is the root of the domain. For example Base DN for mydomain.net will be “dc=mydomain,dc=net”. Base DN can also be of some OU. For example, for an OU “SVN Users” in mydomain.net, Base DN will be “ou=svn users,dc=mydomain,dc=net”.

Bind User DN is the DN of user that will bind to Active Directory before querying any additional information.

Sometimes it can be confusing to compile DN for a given user in Active Directory. It is always good to verify DN using some tool or another LDAP client rather than trying different combinations directly in COLLABNET Subversion Edge configuration.

It is quick and easy to use dsquery.exe on the domain controller to get DN for a given user display name or SAM account as shown below:

Use “–samid” switch if you know the logon name. Otherwise you can also use “–name” for display name. In both cases it will output the DN of user.

Similarly you can use dsquery.exe to get DN for a given OU in Active Directory as shown below.

Testing Connectivity to Active Directory


It is better to test connectivity to active directory from server running COLLABNET Subversion before configuring LDAP authentication. This verifies that there are no firewall or permission issues in connecting to Active Directory Server i.e. Domain Controller.

Step 1 :

Verify that you can make a network connection to Active Directory if there are firewalls. You can simply try telnet to domain controller on port 389, which is the default LDAP port.

Unsuccessful Connection:

Telnet LDAP Server 389 Unsuccessful

Telnet LDAP Server 389 Unsuccessful by dscentral.in

Successful Connection:

Step 2:

Connect to Active Directory using another LDAP client. You can use JXplorer as shown below. JXplorer is a free java based open source LDAP Browser (LDAP Client). You can even run it without installing anything on server.

Configuring COLLABNET Subversion Edge for LDAP Authentication


This is very straightforward process if you have all required details well verified and tested.

Configure Active Directory Host address, Bind User DN, Password, Base DN and User Identifier as shown below.

Testing LDAP Authentication

Do not use domain name in user name field.

Summary


  1. LDAP Client has to authenticate itself to Active Directory before asking for any information. For this we require a valid Active Directory User and Password with appropriate rights configured on Active Directory objects. This user is called Bind User.
  2. Use dsquery.exe to identify Bind User DN, OU DN.
  3. Verify LDAP Bind to Active Directory using JXplorer.
  4. Configure parameters in COLLABNET Subversion Edge.

部署第一个域:Active Directory系列之二

在上篇博文中我们介绍了部署域的意义,今天我们来部署第一个域。一般情况下,域中有三种计算机,一种是域控制器,域控制器上存储着Active Directory;一种是成员服务器,负责提供邮件,数据库,DH...
  • albert528108
  • albert528108
  • 2013年09月16日 16:06
  • 1419

查找Active Directory中属性值以及一些常用属性

1、打开ADSI编辑器,连接到对应的Active Directory 2、打开Active Directory选择创建一测试账号,给账号需要的字段赋值 3、在ADSI编辑器列表中找到所创建的测试账...
  • sytiao
  • sytiao
  • 2016年07月11日 19:04
  • 1082

jenkins插件之权限认证相关插件Active Directory和LDAP

Active Directory配置: LDAP插件 配置:
  • weiguang1017
  • weiguang1017
  • 2017年03月21日 11:38
  • 937

Win 10 打印机active directory域服务当前不可用解决方法

明明电脑已经连接上了打印机,电视在Word中打印的时候还是显示“未安装打印机”,点击“添加打印机”的时候,会弹出一个对话框说“Active Directory域服务当前不可用”,真是很奇怪。检查了一下...
  • T3
  • T3
  • 2017年04月28日 09:58
  • 9136

无法与域的active directory域控制器连接

解决方法:   将客户机的DNS设为AD的IP 问题:      注意: 此信息主要供网络管理员参考。如果您不是网络的管理员,请通知网络管理员您收到了此信息...
  • kelsel
  • kelsel
  • 2016年10月08日 17:07
  • 3162

实战Active Directory站点部署与管理,Active Directory系列之十二

实战Active Directory站点部署与管理 上篇博文中我们家介绍了站点的设计目的及大致原理,今天我们通过实战为大家介绍如何进行站点的部署以及管理。实验拓扑如下图所所示,adtest.co...
  • zy_27_ok
  • zy_27_ok
  • 2017年06月21日 15:56
  • 115

基于Active Directory的用户验证

由于需要使用MS的AD用户验证的功能,使AD用户认证成为公司的唯一用户认证的系统,因此,最后一直在找AD用户验证的资料,还好, 找到了如下的资料,非常不错,值得一看!!!   当然,还找到了更好的资...
  • vegas_lee
  • vegas_lee
  • 2014年05月22日 15:39
  • 24

活动目录(Active Directory)

Active Directory和活动目录是同义词,已合并。 活动目录 百科名片    活动目录(Active Directory)是面向Windows Stand...
  • zhongguowangzhan
  • zhongguowangzhan
  • 2017年11月16日 15:30
  • 34

用备份进行Active Directory的灾难重建:Active Directory系列之三

用备份进行Active Directory的灾难重建   上篇博文中我们介绍了如何部署第一个域,现在我们来看看我们能够利用域来做些什么。域中的计算机可以共享用户账号,计算机账号和安全策略,我们来看...
  • zmoneyz
  • zmoneyz
  • 2014年07月07日 20:31
  • 1008

用备份进行Active Directory的灾难重建:Active Directory系列之三

转载 http://yuelei.blog.51cto.com/202879/116181 用备份进行Active Directory的灾难重建   上篇博文中我们介绍了如何部署第一个域...
  • kkdelta
  • kkdelta
  • 2013年04月07日 13:55
  • 1520
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:Configuring COLLABNET Subversion with Active Directory
举报原因:
原因补充:

(最多只允许输入30个字)