Subversion, webdav, LDAP and folder restrictions

Posted by Matteo Mattei / 17th May 2012

If you need to configure a svn server on Linux with LDAP authentication, webdav and insert specific directory restrictions you can follow these instructions.

• One: you need to install subversion and apache in your Linux server (I will omit this part).
• Two: you need to configure webdav to access svn over http and configure LDAP access.

  Make sure to have the following apache modules installed and configured:

  LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
  LoadModule dav_module modules/mod_dav.so
  LoadModule dav_svn_module modules/mod_dav_svn.so
  LoadModule authz_svn_module modules/mod_authz_svn.so
  LoadModule authn_alias_module modules/mod_authn_alias.so
  

  Assumptions:

  • I am usual to configure subversion in /srv/svn folder.
  • The users allowed to access the SVN have to belong to the LDAP group CN=SVN-AUTHORIZATION,OU=Groups GSO,DC=test,DC=example,DC=com

  Edit the /etc/apache2/mods-enabled/dav_svn.conf (this is valid for Ubuntu. Maybe in other distros this file is placed somewhere) and make sure to have the following information:

  <Location /svn/>
    # Enable svn over webdav
    DAV svn
    # Set parent path for multiple repositories
    SVNParentPath /srv/svn/
    # Set authentication type
    AuthType Basic
    # Set authentication name
    AuthName "FLR Subversion Repository"
    # Set authorization (permissions) file
    AuthzSVNAccessFile /etc/apache2/dav_svn.authz
    # Allow to list the parent path
    SVNListParentPath On
    # Use LDAP for authentication
    AuthBasicProvider ldap
    # LDAP server is authoritative (so is the final step for autentication)
    AuthzLDAPAuthoritative On
    # LDAP bind user
    AuthLDAPBindDN "CN=svnbind,OU=Users OS,DC=test,DC=example,DC=com"
    # LDAP bind password
    AuthLDAPBindPassword mypassword
    # LDAP URL
    AuthLDAPUrl "ldap://ldap_ip_address:389/DC=test,DC=example,DC=com?sAMAccountName?sub?(&(&(objectClass=user)(objectCategory=person))(memberof=CN=SVN-AUTHORIZATION,OU=Groups GSO,DC=test,DC=example,DC=com))"
  
    # A valid user is required
    Require valid-user
  </Location>

Three Create the permission file /etc/apache2/dav_svn.authz
It will have the following content based on your needings:

[groups]
admin = matteo
group1 = user1, user2, user3
group2 = user2
group3 = user4

###################################
[/]
* = r
@admin = rw
###################################
[repository1:/]
* = rw
###################################
[repository2:/]
* =
@admin = rw
@group1 = rw
###################################
[repository3:/]
* =
@admin = rw
@group2 = rw
@group1 = r
###################################
[repository4:/]
* = r
@admin = rw
[repository4:/trunk/sources]
* = r
@admin = rw
@group3 = rw
###################################

Now restart apache with /etc/init.d/apache2 restart

• Four: create repositories.

  As root issue the following commands:

  cd /srv/svn
  svnadmin create repository1
  chown www-data.www-data -R repository1
  svnadmin create repository2
  chown www-data.www-data -R repository2
  svnadmin create repository3
  chown www-data.www-data -R repository3
  svnadmin create repository4
  chown www-data.www-data -R repository4

  You are now ready to use your new subversion repository with LDAP account, webdav access and custom user/group directory restrictions.

Virtual users on vsftpd

Posted by Matteo Mattei / 4th February 2011

I’m usually to configure vsftp on web servers to allow FTP access based on domains. Few days ago my client asked me to create multiple FTP users for a single domain every one with a different root folder into that domain.

This is my usual configuration of my /etc/vsftpd.conf

listen=YES
anonymous_enable=NO
local_enable=YES
virtual_use_local_privs=YES
write_enable=YES
connect_from_port_20=YES
xferlog_enable=YES
pam_service_name=vsftpd
guest_enable=YES
guest_username=www-data
user_sub_token=$USER
local_root=/var/www/$USER
chroot_local_user=YES
hide_ids=YES
force_dot_files=YES
ftpd_banner=Welcome to my private FTP service.
local_umask=022

and this is my /etc/pam.d/vsftpd

auth required pam_pwdfile.so pwdfile /etc/ftpd.passwd
account required pam_permit.so

The first time I’ve created the file /etc/ftpd.passwd in this way:

htpasswd -c -d -b /etc/ftpd.passwd domain1.com <password>

For the future users simply avoid the ‘-c’ parameter:

htpasswd -d -b /etc/ftpd.passwd domain2.com <password>

With this simple configuration all users have these credentials:

• host: domain1.com
• username: domain1.com
• password: password
• port: 21
• Root folder: /var/www/domain1/

Now the point is: how can we create multiple users for a single domain each one with a different root folder?
The answer is pretty simple, follow me!

Create the folder /var/www/users and add the following line at the end of /etc/vsftpd.conf

user_config_dir=/var/www/users

Into the folder /var/www/users create a file for each virtual user (for example the user user1.domain1.com) containing a line the root directory for that user:

echo "local_root=/var/www/domain1.com/pub/user1" > /var/www/users/user1.domain1.com

Now add the new user/password in /etc/ftpd.passwd as usual:

htpasswd -d -b /etc/ftpd.passwd user1.domain1.com <password>

Restart vsftpd server and test your new configuration!