Configuring COLLABNET Subversion with Active Directory

转载 2013年12月05日 18:42:16
Collabnet LDAP Settings

Collabnet LDAP Settings

If you need to host Subversion in a Windows Server environment, it is always desirable to integrate subversion with Active Directory. For Windows Administrators it is better to use COLLABNET Subversion Edge as it comes with all-in-one installer including Apache, Subversion and a beautiful web console which simplifies tasks like managing repositories, users and SVN services using GUI.

Concept


On receiving authentication request from an SVN client, Subversion gets user information validated from Active Directory. The protocol used is LDAP, which stands for Lightweight Directory Access Protocol. Subversion acts as a LDAP Client and Active Directory is the LDAP Server.

An LDAP Client has to authenticate itself to Active Directory before sending any LDAP query. This is called LDAP Bind. LDAP Client passes a valid User DN and Password to Active Directory. Only if Bind operation is successful, LDAP client can request for additional information like list of users in an OU, User Properties like email, department etc. Bind User is also required to query for Active Directory groups and their memberships. This however also depends that whether the Bind User has required rights to that information in Active Directory. Usually, by default, “Authenticated Users” group has Read Access on every OU, users and groups. So no special permission needs to be configured on any OU. However, In a locked-down Active Directory, authenticated user ACEs are removed from the default Active Directory containers, including the Users, Systems, and OUs where User and Computer objects are stored. In such case, some permission needs to be configured.

This post only focuses on identifying required LDAP parameters from Active Directory, configuring them in COLLABNET Subversion Edge, testing and troubleshooting basic LDAP connectivity with Active Directory in non-locked-down mode. For more details on LDAP authentication protocol flow and how to prepare Active Directory in locked-down-mode for LDAP Authentication, refer post Preparing Locked-Down Active Directory for LDAP Authentication”.

Identifying DN for LDAP Bind User and Base DN


Base DN is basically the starting or entry point in Active Directory tree where operations like LDAPSearch will be carried out. Generally Base DN is the root of the domain. For example Base DN for mydomain.net will be “dc=mydomain,dc=net”. Base DN can also be of some OU. For example, for an OU “SVN Users” in mydomain.net, Base DN will be “ou=svn users,dc=mydomain,dc=net”.

Bind User DN is the DN of user that will bind to Active Directory before querying any additional information.

Sometimes it can be confusing to compile DN for a given user in Active Directory. It is always good to verify DN using some tool or another LDAP client rather than trying different combinations directly in COLLABNET Subversion Edge configuration.

It is quick and easy to use dsquery.exe on the domain controller to get DN for a given user display name or SAM account as shown below:

Use “–samid” switch if you know the logon name. Otherwise you can also use “–name” for display name. In both cases it will output the DN of user.

Similarly you can use dsquery.exe to get DN for a given OU in Active Directory as shown below.

Testing Connectivity to Active Directory


It is better to test connectivity to active directory from server running COLLABNET Subversion before configuring LDAP authentication. This verifies that there are no firewall or permission issues in connecting to Active Directory Server i.e. Domain Controller.

Step 1 :

Verify that you can make a network connection to Active Directory if there are firewalls. You can simply try telnet to domain controller on port 389, which is the default LDAP port.

Unsuccessful Connection:

Telnet LDAP Server 389 Unsuccessful

Telnet LDAP Server 389 Unsuccessful by dscentral.in

Successful Connection:

Step 2:

Connect to Active Directory using another LDAP client. You can use JXplorer as shown below. JXplorer is a free java based open source LDAP Browser (LDAP Client). You can even run it without installing anything on server.

Configuring COLLABNET Subversion Edge for LDAP Authentication


This is very straightforward process if you have all required details well verified and tested.

Configure Active Directory Host address, Bind User DN, Password, Base DN and User Identifier as shown below.

Testing LDAP Authentication

Do not use domain name in user name field.

Summary


  1. LDAP Client has to authenticate itself to Active Directory before asking for any information. For this we require a valid Active Directory User and Password with appropriate rights configured on Active Directory objects. This user is called Bind User.
  2. Use dsquery.exe to identify Bind User DN, OU DN.
  3. Verify LDAP Bind to Active Directory using JXplorer.
  4. Configure parameters in COLLABNET Subversion Edge.

相关文章推荐

Mac OS X:Configuring Access to an Active Directory Domain

Server Admin 10.6 HelpConfiguring Access to an Active Directory DomainUsing the Active Directory con...

CollabNet Subversion Edge 安裝筆記 (1):基本安裝設定篇

转载于:http://blog.miniasp.com/post/2011/12/30/CollabNet-Subversion-Edge-Installation-Notes-Part-1-Basi...
  • zgmzyr
  • zgmzyr
  • 2012年09月27日 19:25
  • 11910

按用户和按组,分别设置collabNet Subversion Edge 权限设置

1、按用户设置权限   [codeLibrary:/] //对真个代码库 *=r     //所有用户有读的权限 zs=rw       //zs用户有读和写的权限     2、按组设置权限 [gro...

collabnet subversion 1.9.5 x64

  • 2017年03月25日 15:06
  • 6.98MB
  • 下载

Linux下配置CollabNet Subversion Edge

摘要:最近一直都在搞一下管理员的工作,今天又搞了svn的管理工具CollabNetSubversionEdge,网上也有很多例子,但是很多都是可以访问到web界面,但是不能启动版本库的服务,所以我经过...

Linux搭建SVN(CollabNet Subversion)服务器 可视化界面

最近一程序员友人给了我这样一个页面,顿时感觉SVN也可以这样管理的高大上,尽管svn已经不像当年如此风光,但是还有很多公司在使用它。   所以也是出于感兴趣就尝试着安装了一下,还算是比较顺利的,...

collabnet subversion配置文档

  • 2015年06月12日 11:29
  • 387KB
  • 下载
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:Configuring COLLABNET Subversion with Active Directory
举报原因:
原因补充:

(最多只允许输入30个字)