Anonymous SVN Checkout, but Authenticate Commit

Question

I am setting up SVN repository with Httpd. Currently, my repository is available through Httpd, but anybody can checkout and commit back. I want to limit the commit action using Microsoft Active Directory Authentication.

I am using the following in my subversion.conf.

<Location /repos>
   DAV svn

   # Directory containing all repository for this path
   SVNParentPath /srv/svn/repositories

   # List repositories colleciton
   SVNListParentPath On

   # Enable WebDAV automatic versioning
   SVNAutoversioning On

   # Repository Display Name
   SVNReposName "RepositoryName"

   # Do basic password authentication in the clear
   AuthType Basic

   # The name of the protected area or "realm"
   AuthName "RepositoryName"

   # Make LDAP the authentication mechanism
   AuthBasicProvider ldap

   # Make LDAP authentication is final
   AuthzLDAPAuthoritative off

   # Active Directory requires an authenticating DN to access records
   #AuthLDAPBindDN "ou=people,o=example,dc=com"

   # The LDAP query URL
   AuthLDAPURL "ldap://example.com:389/DC=com,DC=example,ou=people?uid(objectClass=*)" NONE

   # Read access to everyone
   Satisfy Any

   # Require a valid user
   Require valid-user

   # Authorization file
   AuthzSVNAccessFile /subversion/apache2/auth/repos.acl

   # Limit write permission to list of valid users.
   #<LimitExcept GET PROPFIND OPTIONS REPORT>
      # Require SSL connection for password protection.
      # SSLRequireSSL

      #AuthType Basic
      #AuthName "Authorization Realm"
      #AuthUserFile /etc/httpd/conf/.htpasswd
      #Require valid-user
   #</LimitExcept>
</Location>

With above configuration, it asks for the credentials everytime. Also, when provided, the repository is inaccessible. I get 500 Internal Server Error after giving the correct credentials.

I did check the log files, but nothing there to indicate the actual cause.

Answer 1

Ok. I got the first part done.

With reference from 6. Access control lists section here, I added the read-only access in the AuthzSVNAccessFile file.

# Authorization file
AuthzSVNAccessFile /srv/svn/repos.acl

Contents of /srv/svn/repos.acl file

[/]
* = r

Now, all my repositories will be anonymously accessible. Now the commit part is remaining.

Now I get the following message when I commit.

Commit failed (details follow):
Server sent unexpected return value (500 Internal Server Error) in response to 
MKACTIVITY request for '/repos/project1/!svn/act/783d45f7-ae05-134d-acb0-f36c007af59d'

Answer 2

In order to allow public reading/checkout, you need to uncomment the bit between the <LimitExcept> directive and comment the separate Require valid-user line above it.

The directive <LimitExcept GET PROPFIND OPTIONS REPORT> tells the server that everything inside that does not apply to any GET, PROPFIND, OPTIONS or REPORT request to the repository, which are used for checking out/reading the repo. In other words, if you would put this bit of code in your Apache configuration, it would only require a valid user for anything else than the mentioned methods (e.g. it would require a valid user if a PUT request is made to commit):

<LimitExcept GET PROPFIND OPTIONS REPORT>
    Require valid-user
</LimitExcept>

In your case, it should probably look something like this (I just slightly modified your posted config, assuming that is correct besides the forced login issue (I have no LDAP server to test it with). Note to replace example.com in your AuthLDAPURL to the real server host):

<Location /repos>
   DAV svn

   # Directory containing all repository for this path
   SVNParentPath /srv/svn/repositories

   # List repositories colleciton
   SVNListParentPath On

   # Enable WebDAV automatic versioning
   SVNAutoversioning On

   # Repository Display Name
   SVNReposName "RepositoryName"

   # Do basic password authentication in the clear
   AuthType Basic

   # The name of the protected area or "realm"
   AuthName "RepositoryName"

   # Make LDAP the authentication mechanism
   AuthBasicProvider ldap

   # Make LDAP authentication is final
   AuthzLDAPAuthoritative off

   # Active Directory requires an authenticating DN to access records
   #AuthLDAPBindDN "ou=people,o=example,dc=com"

   # The LDAP query URL
   AuthLDAPURL "ldap://example.com:389/DC=com,DC=example,ou=people?uid(objectClass=*)" NONE

   # Authorization file
   AuthzSVNAccessFile /subversion/apache2/auth/repos.acl

   # Limit write permission to list of valid users.
   <LimitExcept GET PROPFIND OPTIONS REPORT>
       SSLRequireSSL
       Require valid-user
   </LimitExcept>
</Location>

As long as you put the Require valid-user inside the LimitExcept, everything should work just as you want it to. You can put the rest of the authentication configuration anywhere between the Location directive.

Answer 3

Every Subversion server that I've seen:

• Allows anonymous checkout with no commit.
• Requires authenticated checkout and allows commit.

I believe that the Subversion commit process has to be.

• Receive authentication credentials.
• Checkout code with authentication.
• Reapply changes.
• Commit changes.

Answer 4

I suggest using Visual SVN Server. It has support for Active Directory. Visual Svn Server install apache and svn binaries. Also it creates necessary conf file for apache.

Install it with your wanted features and inspect apache configuration file it creates. Also I suggest using/buying it instead of maintaining your apache server if you can run in windows box.

Answer 5

Just some notes:

1. I never seen SVNAutoversioning used inside Subversion location
2. Reading Apache error-log can give more detailed information, than "500 Error" in case of troubles
3. I have read here, on SO, some topics about troubles with Subversion on CentOS, related to owner of Apache process (some processes of httpd have different owner, than another: nobody and httpd): check it with ps -au | grep
4. Troubles on commit usually related to insufficient permissions: Apache process must have write permissions for all files in repository
5. Last, but not least, whith priority higher, than pp. 3-4 - in case of using AuthzSVNAccessFile at least one user|group for at least one path have to have write permissions ... = rw in order to commit. I don't know, how to write inherited from AD username in repos.acl file