Securing Subversion with Windows 2008 Kerberos-Based SSO and Linux-Based Apache

Some things just belong on Linux. Like Subversion and Apache, for instance. I've seen the ghetto workarounds for Windows-based Apache installs and no thanks -- I'd much rather waste my time on ghetto SharePoint workarounds.

But I sure do like the way Windows-based web servers such as IIS seamlessly and securely authenticate users across a domain. I wanted Apache to do the same and, after a week of trying various methods of authentication, I found the easiest, most efficient way is to use SSL, Kerberos, and Likewise.

I start this project, as I do all of my Linux projects, by using a fresh install of SuSE Linux Enterprise Server (SLES 11). During the initial install, I made sure to use a local passwd file for authentication. Likewise takes care of all the advanced authentication methods after the install is complete. When using Likewise, do not attempt to use YaST to configure authentication or you'll run into a variety of pam and krb5 key issues.

Here are the following steps and tutorials I used to accomplish my goal of SSO

1. Install and configure Likewise Open.

   • Joining a domain is as easy as /opt/likewise/bin/domainjoin-cli join corp.netnerds.net Administrator, even when authenticating against Windows 2008 Active Directory.

2. Setup Apache to support SSL

3. Setup Apache to support Kerberos-based SSO

   • My ktpass, for example, looks like this: ktpass /out http.ktb /princ HTTP/[email protected] /pass SkiAlta2009 /mapuser corp\linuxweb

4. Install the One-Click Installer that comes with OpenSuSE by default, but not SLES 11.

   • yast -i yast2-metapackage-handler

5. Add the subversion packages to the local repository.

   • OCICLI https://software.opensuse.org/ymp/Subversion/SLE_11/subversion.ymp

   • Go into YaST and install the necessary subversion packages.

6. Follow the OpenSuSE tutorial for Setting Up a Subversion Server Using Aapache 2

7. Throw a party! Just turn up Pandora's Cajun station and DANCE.

I recommend using your domain's own Certificate Authority to generate the SSL cert that Apache will use. That way, users won't be prompted to accept an untrusted self-signed SSL certificate.

Have fun!