Securing Subversion with Windows 2008 Kerberos-Based SSO and Linux-Based Apache

Some things just belong on Linux. Like Subversion and Apache, for instance. I’ve seen the ghetto workarounds for Windows-based Apache installs and no thanks — I’d much rather waste my time on ghetto SharePoint workarounds.

But I sure do like the way Windows-based web servers such as IIS seamlessly and securely authenticate users across a domain. I wanted Apache to do the same and, after a week of trying various methods of authentication, I found the easiest, most efficient way is to use SSL, Kerberos, and Likewise.

I start this project, as I do all of my Linux projects, by using a fresh install of SuSE Linux Enterprise Server (SLES 11). During the initial install, I made sure to use a local passwd file for authentication. Likewise takes care of all the advanced authentication methods after the install is complete. When using Likewise, do not attempt to use YaST to configure authentication or you’ll run into a variety of pam and krb5 key issues.

Here are the following steps and tutorials I used to accomplish my goal of SSO

  1. Install and configure Likewise Open.
    • Joining a domain is as easy as /opt/likewise/bin/domainjoin-cli join corp.netnerds.net Administrator, even when authenticating against Windows 2008 Active Directory.
  2. Setup Apache to support SSL
  3. Setup Apache to support Kerberos-based SSO
    • My ktpass, for example, looks like this:
      ktpass /out http.ktb /princ HTTP/[email protected] /pass SkiAlta2009 /mapuser corp\linuxweb
  4. Install the One-Click Installer that comes with OpenSuSE by default, but not SLES 11.
    • yast -i yast2-metapackage-handler
  5. Add the subversion packages to the local repository.
    • OCICLI http://software.opensuse.org/ymp/Subversion/SLE_11/subversion.ymp
    • Go into YaST and install the necessary subversion packages.
  6. Follow the OpenSuSE tutorial for Setting Up a Subversion Server Using Aapache 2
  7. Throw a party! Just turn up Pandora’s Cajun station and DANCE.

I recommend using your domain’s own Certificate Authority to generate the SSL cert that Apache will use. That way, users won’t be prompted to accept an untrusted self-signed SSL certificate.

Have fun!

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain RealCajunRecipes.com in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Active Directory, Apache, Linux, Networking, Security
4 comments on “Securing Subversion with Windows 2008 Kerberos-Based SSO and Linux-Based Apache
  1. Nathan says:

    Holy cow, if you got this to work correctly you are so my hero. Thanks for writing up the details– I'll be trying it soon.

  2. Kevin says:

    I stumbled across your article whilst I'm trying to setup Subversion and Apache on SLES 11 SP1, and wondered why you didn't use the built in yast > Network Services > Windows Domain Membership, to join AD. Is there not a way to do things that way and still get Subversion/Apache to use Windows authentication?

Leave a Reply

Your email address will not be published. Required fields are marked *

*