Thursday, April 21, 2011

Authenticating SVN through AD

Introduction

After spending a few days trying to get our SVN clients to authenticate directly with their Active Directory credentials, I think it's worthwhile to share this information with others, in the hope that it will help. First off I am no expert here and all the information in this post comes from a number of other postings, but nowhere did I find exactly what I was looking for.

Just to be precise, the goal here is to authenticate SVN users with their Active Directory credentials, and to do so without using LDAP or Apache. This setup only uses SASL and PAM to authenticate the users. Some of the documentation suggests that all you need is to set your svn.conf file with:



mech_list: gssapi



You're welcome to try it but it didn't work for me. So I instead chose to use Kerberos through PAM.


This posts assumes that SVN is already installed and working, probably with svn+ssh and that an AD is also working and in place.



Pre-Requisites


  • SASL libraries
  • PAM libraries including pam_krb5

Setup and Configure Kerberos


The steps below describes how to configure Kerberos using the GUI tool. You can also apply the changes manually by editing the file /etc/krb5.conf.
The Kerberos network authentication protocol requires the clocks of the involved machines to be synchronized or at least the difference is less than 5 minutes, so best thing is to make sure that all servers are synchronized with a time server.



1 -Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.


2. Click the Authentication tab and check the Enable Kerberos Support. Next, click the Configure Kerberos button.


3. In the Kerberos Settings window, fill in the Realm, clear out KDC and Admin Servers and check the Use DNS to locate KDCs for realms. Realm is usually your domain name capitalized, capitalization is important. KDC is your Active Directory server. Click Ok when you’re done.


4. Uncheck the Enable Kerberos Support and click Ok. We don’t actually want to use Kerberos authentication in Linux, we just want the tool to setup Kerberos for us.


5. Test Kerberos by typing in kinit username in a terminal window. If you need help in making sense of the kinit error messages, check out Test the Kerberos Authentication. You can then check that you did get a ticket by typing klist. Once you are done testing you should clear your ticket, otherwise it will re-ask you to re-conduct it once it expires. To clear your kerberos credential simply type kdestroy.


The Active Directory Side


You'll need to create a keytab for your SVN service.


Creating the user account for SVN in AD


Use the Active Directory Management tool to create a new user account for the svn service:



1. Select the Users folder, right-click and select New, then choose the user.


2. Type the user name, which is the service (svn/) followed by the FQDN name of the server.

An example of a user to create would be: svn/server-name.company.com



Creating the security principal and keytab file



The keytab contains a service name, the FQDN of the server, and the AD domain. '''Service names are case-sensitive'''. Enter them lower-case. Once an account has been created, the keytab file can be generated using ktpass:
C:> ktpass -princ svn/hostname@NT-DNS-REALM-NAME -mapuser account -pass password -out svn-hostname.keytab

In the command:

  • hostname is the host DNS name, for example, foobar.example.com.
  • NT-DNS-REALM-NAME is the uppercase name of the Windows domain; for example, EXAMPLE.COM.
  • account is the name of the account for the computer.
  • password is a complex password for the account.
  • svn-hostname.keytab is the name of the keytab file.

Back to the Linux Side

Next, copy the keytab file to the svn system and merge the keytab file into /etc/krb5.keytab with:
% ktutil ktutil: rkt svn-hostname.keytab
ktutil: list

The output should appear similar to the following:
slot KVNO Principal
—- —- ———
1 1 host/foobar.example.com@EXAMPLE.COM
ktutil: wkt /etc/krb5.keytab
ktutil: q

Configuring SASL

Now that Kerberos is configured on your system, we need to move on and configure SASL. To operate correctly SASL needs a configuration file where it can find it. For SVN, this file is '''svn.conf'''. The location can vary a bit and it is often suggested to create a link between locations.

For me those locations are /etc/sasl2 and /usr/lib/sasl2. So I created a file in /usr/lib/sasl2 called svn.conf and then linked it from /etc/sasl2 with:
ln -s /usr/sasl2/svn.conf svn.conf

The content of svn.conf is:
pwcheckmethod: saslauthd
mechlist: plain login
log_level: 3

This first sets the password check method to saslauthd and with a plain or login mechanism. The log_level can help in figuring out what is going on.

Configuring SASLAUTHD

Next you need to configure '''saslauthd''' and make sure that it is running (you can you the service application for this.

The configuration for saslauthd is located in /etc/sysconfig and is called simply saslauthd. You will need to make sure that the MECH setting points to PAM:

# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/var/run/saslauthd

# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=pam
#MECH=shadow

# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS=

Configuring PAM

Now we are ready to configure PAM for SVN. In order to do so we need to create a configuration file called '''svn''' that is located in the PAM configuration folder called /etc/pam.d.

The content of this file (svn) should be as such:

auth sufficient pamkrb5.so nousercheck validate debugsensitive
account sufficient pam_permit.so debug

Configuring the SVN Repository

Finally we are ready to configure our SVN repository (or repositories) to use SASL/PAM. To do so we need to modify the '''svnserve.conf''' file for each of our repository. Those files are located at:
/pathtorepository/conf

Here are the settings that are required:

[general]

anon-access = read
auth-access = write

realm = BENCHMARKCONSULTING.COM

[sasl]
use-sasl = true
min-encryption = 0
max-encryption = 256

Here we need to make sure that the realm matches our realm used during the Kerberos setup. If no anonymous access should be granted, change the anon-access to none instead of read.

Configuring the SVN service

Lastly you need to make sure that you have a running '''svnserve''' that can process the requests. You could manage it in a stand-alone fashion, but we manage it with xinetd as shipped with CentOS.

So, to manage it with xinetd you need to have a configuration file in the /etc/xinet.d folder called svn that looks somewhat like this:

#Begin /etc/xinetd.d/svn
service svn
{
disable = no
port = 3690
sockettype = stream
protocol = tcp
wait = no
user = root
server = /usr/bin/svnserve
serverargs = -i -r /usr/local/svnrepos –log-file /var/log/svn.log
per_source = 20
}
# End /etc/xinetd.d/svn

Obviously the serverargs should match you repository location. The logfile argument is optional but it can help greatly.

Now that all of this is ready you can simply restart xinetd with the service application or restart only svn with:

chkconfig svn off
(wait for message)
chkconfig svn on

Conclusion

That's all there is to it. Might look like a lot of steps but it is actually quite straight forward once you understand what's needed. Also make sure that file permissions are adequate everywhere for processes to run.

Have fun and good luck.

Posted by at No comments:
Subscribe to: Posts (Atom)