I just finished setting up domain based authentication on our new SVN server here at work, so I thought I'd post my notes on the process and links to what you'll need - since I found that the information was pretty disparate.

First a list of what I used, and you'll need:

• Subversion - obviously. I used version 1.2.3
• Apache Web Server - I used version 2.0.55
• mod_auth_sspi 1.0.3 - This has always been hard to come by and there's always been various patches of it floating around. This place is a unified attempt to bring all the patches together, and it works very well. Grab the one for the appropriate version of Apache2

I will assume that you've already installed both Apache 2.0.55 and SVN 1.2.3. If you haven't, please do so and then come back -- the installation for both of them is very simple and will only take you a few minutes to complete.

Step 1: mod_dav and mod_dav_svn

The first step to accessing SVN via Apache is to set up WebDAV. To do this, copy

C:\Program Files\Subversion\bin\mod_dav_svn.so

to:

C:\Program Files\Apache Group\Apache2\modules

Next edit your httpd.conf file, and add the following content:

LoadModule dav_module         	modules/mod_dav.so
LoadModule dav_svn_module 	modules/mod_dav_svn.so

<Location /svn>
	DAV svn
	SVNParentPath "/path/to/repositories"		
</Location>

This example uses SVNParentPath to point to the parent folder of multiple SVN repositories. If you set it to C:\repositories, then any directory you create under it, such as C:\repositories\ProjectA, is accessible under the /svn URL, like so: http://localhost/svn/ProjectA. If you only have 1 repository, or do not plan to use multiple repositories, you could use the SVNPath directive instead, and point it directly to your SVN repository. This approach is more flexible though, and allows for expansion without changing your configuration files.

mod_auth_sspi and mod_authz_svn

The next step is to enable domain based authentication and access control to your SVN repositories. Copy:

C:\Program Files\Subversion\bin\mod_authz_svn.so

to

C:\Program Files\Apache Group\Apache2\modules

And edit your http.conf file again to look like this:

LoadModule dav_module 		modules/mod_dav.so
LoadModule dav_svn_module 	modules/mod_dav_svn.so
LoadModule authz_svn_module 	modules/mod_authz_svn.so 
LoadModule sspi_auth_module 	modules/mod_auth_sspi.so

>Location /svn<
	DAV svn
	SVNParentPath "D:/Engineering/svn/repos"	

	AuthName "My SVN Server"
	
	AuthType SSPI
	SSPIAuth On
	SSPIOmitDomain On
	SSPIAuthoritative On
	SSPIDomain DOMAINNAME

	Require valid-user
	AuthzSVNAccessFile "C:/repositories/svnaccess.txt"	
</Location>

You can see that we've added two modules, and several lines to our Location /svn element. Set the SSPIDomain appropriately for the domain you want to authenticate against. SSPIOmitDomain On allows you to authenticate against the domain without specifying it as an explicit prefix, you can turn that off as you like, but it's simpler to just leave it on.

We also specify an AuthzSVNAccessFile directive that specifies the file we store our authroization information in, which leads us to:

AuthzSVNAccessFile

The AuthzSVNAccessFile specifies a plain text file that identifies which repositories users have access to. It's simple to set up, here's an example:

[groups]
developers=Tom,Dick,Harry,Sally,Sue
managers=Bill,Jean,Marry,Bob,Dave

[repositoryname:path]
@developers = rw
@managers = r
Bill = rw

Replace repositoryname with the name of your repository, which is a subdirectory under the path you specified in the SVNParentPath directive, and path with the path you're modifying, such as / for the whole repository, or /branches/Bill for a specific branch. In this example, we've given the group developers read write access, the managers group read access, and explicitly given Bill read write access (he's a manager).

Conclusion

You should now have web-based access to your SVN repository using domain based authentication! It's a good idea at this point to further protect the repository using an SSL configuration, which I won't cover here. I have some notes on it for an Apple platform that may be useful here and here - I'll cover it explicitly for a Windows installation in another post though, hopefully sometime soon.

This guide will walk you through installing Apache2 and SVN using Fink on OS X 10.4. You should be able to follow the same instructions for 10.3; however, there is not currently a stable release of SVN in the fink repository for OS X 10.2 and earlier.

Fink is a package management system for OS X based on Debian Linux's apt-get system. Since it compiles packages from source, you'll need to have Apple's Developer Tools installed. The latest version of the developer tools will install the necessary compilers - GCC 4.0 and GCC 3.3.

Installation

Fink

You can download Fink at fink.sourceforge.net. Currently, the latest stable release is 0.8.0 for OS X 10.4, 0.7.2 for OS X 10.3 and 0.6.4 for OS X 10.2. You should download the latest available stable release for your platform.

Once you've installed Fink you should update it. Open a Terminal window and run:

sudo fink self-update

This will cause Fink to check for updates to itself, as well as download the latest package information. You may be asked to provide information about how Fink should be configured, and in most circumstances you'll be fine to just accept the defaults.

Apache2

We'll install Apache 2 with SSL support first. This will allow us to configure Subversion to work through secure http connections.

sudo fink install apache2-ssl

You'll be prompted by Fink to satisfy a virtual dependency:

fink needs help picking an alternative to satisfy a virtual dependency. The candidates:
(1)     apache2-ssl-mpm-worker: Apache2 Server Binary - [MPM WORKER]
(2)     apache2-ssl-mpm-perchild: Apache2 Server Binary - [MPM PERCHILD *EXPERIMENTAL*]
(3)     apache2-ssl-mpm-prefork: Apache2 Server Binary - [MPM PREFORK]
(4)     apache2-ssl-mpm-leader: Apache2 Server Binary - [MPM LEADER *EXPERIMENTAL*]
(5)     apache2-ssl-mpm-threadpool: Apache2 Server Binary - [MPM THREADPOOL *EXPERIMENTAL*]

Unless you have a preference in mind already, choose the default (1) to install MPM Worker. You may be prompted again to satisfy a second dependency:

fink needs help picking an alternative to satisfy a virtual dependency. The candidates:
(1)     db43-ssl: Berkeley DB embedded database
(2)     db43: Berkeley DB embedded database - non crypto

And again, unless you have a preference in mind, choose the default.

Fink will prompt you with the list of dependant packages that will be installed, simply press enter to accept, and let Fink work its magic.

Next we'll install the mod_ssl module for Apache2, by executing:

sudo fink install libapache2-ssl-mod-ssl

When it's done, you'll be able to start Apache2 by executing:

/sw/sbin/apachectl start

And stop it using:

/sw/sbin/apachectl stop

Subversion

Installing Subversion with Fink is equally simple. svn-ssl installs the SVN server utilities, and svn-client installs the SVN client software; we'll install the SSL enabled versions of both these packages.

sudo fink install svn-ssl
sudo fink install svn-client-ssl

If you're prompted to satisfy dependencies, the defaults will usually do. Simply sit back and and let Fink work its magic.

WebDAV

The final package we'll install is libapache2-ssl-mod-svn which enables serving respositories using WebDAV.

sudo fink install libapache2-ssl-mod-svn

Configuration

SSL

Now that we have everything installed, we'll configure Apache2 for SSL support. Most of the work has already been done for us by Fink, but we still need to create and install our own self signed RSA certificate. See my guide to creating an apache2 SSL certificate to create a private key file and self signed public key certificate, and then do the following to install it into Apache2:

sudo mkdir /sw/etc/apache2/ssl.key
sudo mkdir /sw/etc/apache2/ssl.crt 
sudo cp ~/server.key /sw/etc/apache2/ssl.key/
sudo cp ~/server.crt /sw/etc/apache2/ssl.crt/

chmod 0400 /sw/etc/apache2/ssl.key/server.key
chmod 0400 /sw/etc/apache2/ssl.crt/server.crt

Now, when you start Apache, you'll be prompted for your private key's password; this is because it is encrypted for security reasons. This can be a nuissance, but it's recommended that you keep it this way. If you decide not to, however, here's the steps to decrypt it so you're not prompted anymore:

cd /sw/etc/apache2/ssl.key
cp server.key server.key.orig
openssl rsa -in server.key.orig -out server.key

Creating SVN Repositories

Choose a location on your hard drive under which all your SVN repositories will reside. I'll use /opt/repositories, but the location really doesn't matter. We'll create a new "test" repository in this directory:

mkdir /opt/repositories/
mkdir /opt/repositories/test

svnadmin create /opt/repsitories/test

I like to set the file system permissions on it such that only Apache2 can write to it:

sudo chown -R www /opt/repositories/test
sudo chmod -R 0700 /opt/repositories/test

You should substitute the name of the user you run Apache2 as for "www".

WebDAV Access and Authentication

Finally, we'll enable WebDAV access to your SVN repository in Apache and set up user authentication. Add the following to your /sw/etc/apache2/ssl.conf file:

<Location /svn>
        DAV svn
        SVNParentPath /opt/repositories

        AuthType BASIC
        AuthName "Subversion Repository"
        AuthUserFile /sw/etc/apache2/svn-auth-file

        Require valid-user
</Location>

We'll then create the /sw/etc/apache2/svn-auth-file using htpasswd. You'll use this file to maintain the list of users and passwords that can access your repositories.

sudo htpasswd -cm /sw/etc/apache2/svn-auth-file 

This will create a new user file and add the specified user to it. You can use htpasswd to add, remove and edit users from this file as you see fit.

Conclusion

You'll now have a secure SVN server accessible through Apache2 using WebDAV.

Apple posted an article yesterday titled "Getting Control with Subversion and XCode". I've only had time to skim it briefly, but it seems to be a pretty decent guide to setting up Subversion with Apache 2 and WebDAV - and then integrating SVN into XCode! I'm going to give this a try tonight, I'll posts results later.

Meanwhile, here's the article.