RHEL5 svn+https

Introduction

Here are the steps I took to install Subversion over https on RHEL5

Requirements

You will need mod_dav_svn in order to use Apache authentication for subversion repositories and mod_ssl for Apache over SSL to configure https+svn.

To install these if you are using the Apache RPM provided by RedHat Network: yum install mod_ssl mod_dav_svn

You will then need to reload apache.

Check config for errors: httpd -t

Reload service: service httpd reload

Apache configuration

By default, mod_ssl will add a ssl.conf file to /etc/httpd/conf.d/ssl.conf and include a default localhost certificate with generic information.  You can create a self-signed cert if you like or purchase a valid certificate.

I configured a virtual host to handle the subversion repository. Here is a copy of my virtual host stanza.

<VirtualHost *:443>

ServerAdmin webmaster@example.com

DocumentRoot /var/www/html

ServerName svn.example.com

ErrorLog logs/svn.example.com-error_log

CustomLog logs/svn.example.com-access_log common

<Location />

DAV svn

SVNParentPath /path/to/repo/

AuthType Basic

AuthName “Subversion repository”

AuthUserFile /path/to/svn-auth-file

Require valid-user

AuthzSVNAccessFile /path/to/svn-policy-file

</Location>

</VirtualHost>

SVN Policy File

Located at /path/to/svn-policy-file. The access file below will allow every authenticated user read access for a listing of all the repos.  By selecting repo1, user1 and user2 will be able to view the entire repo1 but user3 and user4 cannot.

[groups]

admins = admin1, admin2, admin3

[/:/]

@admins = rw

* = r

[repo1:/]

@admins = r

user1 = r

user2 = r

[repo2:/]

@admins = r

user3 = r

user4 = r

Apache Basic Authentication File

Finally we need to create an Apache authentication file for access to the subversion repository.

htpasswd -cm /path/to/svn-auth-file user1 [user1 password]

htpasswd -m /path/to/svn-auth-file user2 [user2 password]

htpasswd -m /path/to/svn-auth-file user2 [user2 password]

htpasswd -m /path/to/svn-auth-file user2 [user2 password]

Note: Only the first command has -c option to create the file!

SELinux

I found this great post explaining how to get mod_svn, subversion and selinux all working together.

SELinux, Subversion and mod_svn

Excellent SELinux troubleshooting explained: http://www.threepillarglobal.com/troubleshooting-selinux-issues

Here’s what happened to me. I wanted to put my repository in a partition that was not under /var which is the where Apache by default stores it DocumentRoot.  Knowing that files need a particular SELinux context to run correctly under Apache  edited the security context to be the same as the /var/www/html directory which is the default directory.

chcon -R –reference=/var/www/html /path/to/repo

I was still getting SELinux errors and a permissions denied. All UNIX permissions were correct so I knew it was still SELinux.  So looking at the audit.log errors, I noticed that, similar to UNIX permissions, SELinux permissions are inherited and the permissions have to be correct going up to / as they are going down to the /path/to/repo.  So that lead me to check the SELinux permission on /data which is the partition I wanted my data on.

It was the SELinux permissions on /data that was preventing Apache from working properly. To resolve this I did the following:

chcon –reference=/var /data

NOTE: Make sure this change doesn’t break any other application that may be accessing files or using /data as it’s partition.

Now on to install redmine …

Advertisements

Anonymous LDAP Windows 2003 AD

I found this great article here: http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm

I recently went to a new company and wanted to setup an application to use their central AD.  Not knowing anything about their setup, and not having any access to the AD server, I was able to determine that anonymous read access was not enabled in our environment.

By default, anonymous LDAP operations, except rootDSE searches and binds, are not permitted on Windows 2003 domain controllers. This means that when trying to perform unauthenticated search in AD, you can query for attributes of the RootDSE object only – any other query will result in DC requesting authenticated bind to LDAO and refusing your query.

Let’s see what we are allowed to see when trying to perform an anonymous lookup against W2K3 domain controller.

The query below is performed from a Linux machine just to eliminate the query tools attempt on Windows to perform GSSAPI authentication.

Just to decipher the syntax above:

  • -h hostname.domain.com (perform the query against specified host)
  • -b ” (Use RootDSE as the search base)
  • -x (Use simple bind, no encryption)
  • -LLL (Print responses in LDIF format without comments and version)
  • -s base ( Do a base search as opposed to a subtree or onelevel)
  • ‘objectClass=*’ (LDAP filter which basically means: return anything you find)

If you repeat the above command with -s sub (Subtree scope) query you will get an error message similar to the following. This tells you that anonymous bind access is disabled for the domain.

svn propset

Fixing a broken EOL file

If you find a file that was incorrectly checked in, it’s not too hard to fix.

First, change the file to the correct line-ending style for your platform. Any programming editor should be able to switch styles with some built-in command, or you can use a ‘fromdos’ or ‘todos’-type utility.

Once it’s fixed, set the property and check it in:

For a file: svn propset svn:eol-style native filename svn commit filename
For a symlink: svn propset svn:special native filename svn commit filename
For a binary: svn propset svn:mime-type application/octet-stream <filename> svn commit filename

Still getting ? on some directories?  Make sure you don’t have a checkout within a checkout

Enable auto-props for SVN client

You will need edit the subversion config file.

In Linux/Cygwin, place this file in ~/.subversion/config.
In Windows, place this file in C:\Documents and Settings\%USERNAME%\Application Data\Subversion\config

In Windows for Eclipse:

In Eclipse you’ve got to set the path to your config file:

Window > Preferences > Team > SVN > “Configuration Location” > “Use directory”

To enable

[miscellany]
### Set enable-auto-props to 'yes' to enable automatic properties
### for 'svn add' and 'svn import', it defaults to 'no'.
### Automatic properties are defined in the section 'auto-props'.
enable-auto-props = yes

[auto-props]
*.rb = svn:keywords=Id Author Revision HeadURL Date

[etc specific]
*.conf

Add the following to it:

[auth]
# store-passwords = no
# store-auth-creds = no

[helpers]
# editor-cmd = editor (vi, emacs, notepad, etc.)
# diff-cmd = diff_program (diff, gdiff, etc.)
# diff3-cmd = diff3_program (diff3, gdiff3, etc.)
# diff3-has-program-arg = [true | false]

[tunnels]
# ssh = c:\ssh\plink.exe
# rsh = rsh
# rsh = /path/to/rsh -l myusername

[miscellany]
# global-ignores = *.o *.lo *.la #*# .*.rej *.rej .*~ *~ .#* .DS_Store
# log-encoding = latin1
# use-commit-times = yes
# no-unlock = yes
enable-auto-props = yes

[auto-props]
### The format of the entries is:
###   file-name-pattern = propname[=value][;propname[=value]...]
### The file-name-pattern can contain wildcards (such as '*' and
### '?').  All entries which match will be applied to the file.
### Note that auto-props functionality must be enabled, which
### is typically done by setting the 'enable-auto-props' option.
# *.c = svn:eol-style=native
# *.cpp = svn:eol-style=native
# *.h = svn:eol-style=native
# *.dsp = svn:eol-style=CRLF
# *.dsw = svn:eol-style=CRLF
# *.sh = svn:eol-style=native;svn:executable
# *.txt = svn:eol-style=native
# *.png = svn:mime-type=image/png
# *.jpg = svn:mime-type=image/jpeg
# Makefile = svn:eol-style=native

# etc specific
*.conf       = svn:eol-style=native; svn:mime-type=text/plain
*.rules      = svn:eol-style=native; svn:mime-type=text/plain
*.repo       = svn:eol-style=native; svn:mime-type=text/plain

# Scriptish formats
*.bat        = svn:eol-style=native; svn:mime-type=text/plain
*.bsh        = svn:eol-style=native; svn:mime-type=text/x-beanshell
*.cgi        = svn:eol-style=native; svn:mime-type=text/plain
*.cmd        = svn:eol-style=native; svn:mine-type=text/plain
*.js         = svn:eol-style=native; svn:mime-type=text/javascript
*.php        = svn:eol-style=native; svn:mime-type=text/x-php
*.phtml      = svn:eol-style=native; svn:mime-type=text/x-php
*.pl         = svn:eol-style=native; svn:mime-type=text/x-perl; svn:executable
*.pm         = svn:eol-style=native; svn:mime-type=text/x-perl
*.py         = svn:eol-style=native; svn:mime-type=text/x-python; svn:executable
*.sh         = svn:eol-style=native; svn:mime-type=text/x-sh; svn:executable
configure    = svn:eol-style=native; svn:mime-type=text/x-sh; svn:executable

# Image formats
*.bmp        = svn:mime-type=image/bmp
*.gif        = svn:mime-type=image/gif
*.ico        = svn:mime-type=image/ico
*.jpeg       = svn:mime-type=image/jpeg
*.jpg        = svn:mime-type=image/jpeg
*.png        = svn:mime-type=image/png
*.tif        = svn:mime-type=image/tiff
*.tiff       = svn:mime-type=image/tiff
*.svg        = svn:eol-style=native; svn:mime-type=image/svg+xml

# Data formats
*.pdf        = svn:mime-type=application/pdf
*.avi        = svn:mime-type=video/avi
*.doc        = svn:mime-type=application/msword
*.dsp        = svn:eol-style=CRLF
*.dsw        = svn:eol-style=CRLF
*.eps        = svn:mime-type=application/postscript
*.gz         = svn:mime-type=application/gzip
*.mov        = svn:mime-type=video/quicktime
*.mp3        = svn:mime-type=audio/mpeg
*.ppt        = svn:mime-type=application/vnd.ms-powerpoint
*.ps         = svn:mime-type=application/postscript
*.psd        = svn:mime-type=application/photoshop
*.rdf        = svn:eol-style=native;svn:keywords=Id
*.rss        = svn:eol-style=native;svn:keywords=Id
*.rtf        = svn:mime-type=text/rtf
*.sln       = svn:eol-style=CRLF;svn:mime-type=text/xml
*.swf        = svn:mime-type=application/x-shockwave-flash
*.tgz        = svn:mime-type=application/gzip
*.vcproj    = svn:eol-style=CRLF;svn:mime-type=text/xml
*.wav        = svn:mime-type=audio/wav
*.xls        = svn:mime-type=application/vnd.ms-excel
*.zip        = svn:mime-type=application/zip

# Text formats
.htaccess    = svn:eol-style=native; svn:mime-type=text/plain
*.bbk        = svn:eol-style=native; svn:mime-type=text/xml
*.cmake      = svn:eol-style=native; svn:mime-type=text/plain
*.css        = svn:eol-style=native; svn:mime-type=text/css
*.csv        = svn:eol-style=native; svn:mime-type=text/css
*.dtd        = svn:eol-style=native; svn:mime-type=text/xml
*.dist       = svn:eol-style=native; svn:mime-type=text/xml
*.htm        = svn:eol-style=native; svn:mime-type=text/html
*.html       = svn:eol-style=native; svn:mime-type=text/html
*.ini        = svn:eol-style=native; svn:mime-type=text/plain
*.mak        = svn:eol-style=native; svn:mime-type=text/plain
*.mbox         = svn:eol-style=native; svn:mime-type=text/plain
*.qbk        = svn:eol-style=native; svn:mime-type=text/plain
*.po         = svn:eol-style=native; svn:mime-type=text/plain
*.response   = svn:eol-style=native; svn:mime-type=text/plain
*.rst        = svn:eol-style=native; svn:mime-type=text/plain
*.sql        = svn:eol-style=native; svn:mime-type=text/x-sql
*.template   = svn:eol-style=native; svn:mime-type=text/plain
*.tmx        = svn:eol-style=native; svn:mime-type=text/plain
*.ts         = svn:eol-style=native; svn:mime-type=text/plain
*.txt        = svn:eol-style=native; svn:mime-type=text/plain
*.TXT        = svn:eol-style=native; svn:mime-type=text/plain
*.tpl        = svn:eol-style=native; svn:mime-type=text/plain
*.xhtml      = svn:eol-style=native; svn:mime-type=text/xhtml+xml
*.xliff      = svn:eol-style=native; svn:mime-type=text/plain
*.xml        = svn:eol-style=native; svn:mime-type=text/xml
*.xsd        = svn:eol-style=native; svn:mime-type=text/xml
*.xsl        = svn:eol-style=native; svn:mime-type=text/xml
*.xslt       = svn:eol-style=native; svn:mime-type=text/xml
*.xul        = svn:eol-style=native; svn:mime-type=text/xul
*.yml        = svn:eol-style=native; svn:mime-type=text/plain
configure    = svn:eol-style=native; svn:mime-type=text/plain
CHANGES      = svn:eol-style=native; svn:mime-type=text/plain
COPYING      = svn:eol-style=native; svn:mime-type=text/plain
INSTALL      = svn:eol-style=native; svn:mime-type=text/plain
INBOX        = svn:eol-style=native; svn:mime-type=text/plain
Jamfile      = svn:eol-style=native; svn:mime-type=text/plain
Jamroot      = svn:eol-style=native; svn:mime-type=text/plain
Jamfile.v2   = svn:eol-style=native; svn:mime-type=text/plain
Jamrules     = svn:eol-style=native; svn:mime-type=text/plain
Makefile*    = svn:eol-style=native; svn:mime-type=text/plain
README       = svn:eol-style=native; svn:mime-type=text/plain

# Code formats
*.c          = svn:eol-style=native; svn:mime-type=text/plain
*.cpp        = svn:eol-style=native; svn:mime-type=text/plain
*.h          = svn:eol-style=native; svn:mime-type=text/plain
*.hpp        = svn:eol-style=native; svn:mime-type=text/plain
*.ipp        = svn:eol-style=native; svn:mime-type=text/plain
*.tpp        = svn:eol-style=native; svn:mime-type=text/plain
*.jam        = svn:eol-style=native; svn:mime-type=text/plain
*.java       = svn:eol-style=native; svn:mime-type=text/plain

For Tortoise SVN

First, you must open the dialogue box for Tortoise, and find the settings option

Tortoise Settings

Second, click edit

Third, clear our the contents, then cut and paste the above config file into the editor, and finally go to File -> Save

Install json for PHP 5

  1. Install json – This was actually trickier than expected. I assumed I would be able to install this via pear. Apparently, a PEAR Services_JSON package was developed, but it has never been accepted into the official repository. The trick instead is to use the PECL json package. This was as easy as running pecl install json and watching the compiler do its thing. When it’s done you should have ajson.so file in your PHP modules directory. (Mine is/usr/lib/php/modules/.)
  2. Add json.ini file to /etc/php.d/ – This file is pretty simple. Simply add extension=json.so to this file and that will enable the extension.
  3. Restart Apache – Not much more to add here. Without the restart, the extension won’t be loaded.
  4. Profit!