Securing Subversion with Windows 2008 Kerberos-Based SSO and Linux-Based Apache

Some things just belong on Linux. Like Subversion and Apache, for instance. I’ve seen the ghetto workarounds for Windows-based Apache installs and no thanks — I’d much rather waste my time on ghetto SharePoint workarounds.

But I sure do like the way Windows-based web servers such as IIS seamlessly and securely authenticate users across a domain. I wanted Apache to do the same and, after a week of trying various methods of authentication, I found the easiest, most efficient way is to use SSL, Kerberos, and Likewise.

I start this project, as I do all of my Linux projects, by using a fresh install of SuSE Linux Enterprise Server (SLES 11). During the initial install, I made sure to use a local passwd file for authentication. Likewise takes care of all the advanced authentication methods after the install is complete. When using Likewise, do not attempt to use YaST to configure authentication or you’ll run into a variety of pam and krb5 key issues.

Here are the following steps and tutorials I used to accomplish my goal of SSO

  1. Install and configure Likewise Open.
    • Joining a domain is as easy as /opt/likewise/bin/domainjoin-cli join Administrator, even when authenticating against Windows 2008 Active Directory.
  2. Setup Apache to support SSL
  3. Setup Apache to support Kerberos-based SSO
    • My ktpass, for example, looks like this:
      ktpass /out http.ktb /princ HTTP/[email protected] /pass SkiAlta2009 /mapuser corp\linuxweb
  4. Install the One-Click Installer that comes with OpenSuSE by default, but not SLES 11.
    • yast -i yast2-metapackage-handler
  5. Add the subversion packages to the local repository.
    • OCICLI
    • Go into YaST and install the necessary subversion packages.
  6. Follow the OpenSuSE tutorial for Setting Up a Subversion Server Using Aapache 2
  7. Throw a party! Just turn up Pandora’s Cajun station and DANCE.

I recommend using your domain’s own Certificate Authority to generate the SSL cert that Apache will use. That way, users won’t be prompted to accept an untrusted self-signed SSL certificate.

Have fun!

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, holds a master's degree in Systems Engineering and is coauthor of Learn dbatools in a Month of Lunches. Chrissy is certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Active Directory, Apache, Linux, Networking, Security
4 comments on “Securing Subversion with Windows 2008 Kerberos-Based SSO and Linux-Based Apache
  1. Nathan says:

    Holy cow, if you got this to work correctly you are so my hero. Thanks for writing up the details– I'll be trying it soon.

  2. Kevin says:

    I stumbled across your article whilst I'm trying to setup Subversion and Apache on SLES 11 SP1, and wondered why you didn't use the built in yast > Network Services > Windows Domain Membership, to join AD. Is there not a way to do things that way and still get Subversion/Apache to use Windows authentication?

Leave a Reply