Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C05441090C for ; Fri, 27 Sep 2013 18:52:46 +0000 (UTC) Received: (qmail 80939 invoked by uid 500); 27 Sep 2013 18:52:43 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 80518 invoked by uid 500); 27 Sep 2013 18:52:40 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 80431 invoked by uid 99); 27 Sep 2013 18:52:39 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Sep 2013 18:52:39 +0000 X-ASF-Spam-Status: No, hits=-0.1 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [156.42.184.98] (HELO extmail1.maricopa.gov) (156.42.184.98) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Sep 2013 18:52:32 +0000 X-IronPort-AV: E=Sophos;i="4.90,994,1371106800"; d="scan'208,217";a="80218678" Received: from dacrspxcnghub4.enterprise.maricopa.gov ([10.4.49.31]) by intmail1.maricopa.gov with ESMTP; 27 Sep 2013 11:52:10 -0700 Received: from cms1.enterprise.maricopa.gov ([10.4.94.11]) by dacrspxcnghub4.enterprise.maricopa.gov ([::1]) with mapi; Fri, 27 Sep 2013 11:52:10 -0700 From: Leo Donahue - RDSA IT To: "users@httpd.apache.org" Date: Fri, 27 Sep 2013 11:52:08 -0700 Thread-Topic: some questions on configuring SSL and LDAP Thread-Index: Ac67sMlvaZspMqfYR+i5iUJXAatVwA== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_D72C174D3CAC0A4E812FAD012D646E9F256B085643CMS1enterpris_" MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] some questions on configuring SSL and LDAP --_000_D72C174D3CAC0A4E812FAD012D646E9F256B085643CMS1enterpris_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Would someone be willing to nitpick this configuration? The goal is setting up a self-signed certificate and enabling SSL and LDAP = authentication for a subversion repository. This configuration is located in subversion.conf The version of Apache httpd in this subversion product is: 2.2.25 This configuration is working, but I was hoping someone might spot somethin= g I've missed or perhaps suggest some best practices? # VirtualHost is set to: 8443 for SSL KeepAlive On # This directive toggles the usage of the SSL/TLS Protocol Engine. This sho= uld be used inside a section to enable SSL/TLS for a that vir= tual host. SSLEngine On SSLCertificateFile "C:\Program Files (x86)\Subversion\Apache2\ssl\apache.cr= t" SSLCertificateKeyFile "C:\Program Files (x86)\Subversion\Apache2\ssl\apache= .key" # The directive limits the scope of the enclosed directives by U= RL, in this case the URL of /svn DAV svn SVNParentPath "C:\repositories" # Let the users browse the parent path /svn SVNListParentPath on # SVNParentPath and authz fix http://subversion.tigris.org/issues/show_bu= g.cgi?id=3D2753 RedirectMatch ^(/svn)$ $1/ # Authentication: LDAP Order deny,allow Deny from All AuthName "my auth name" AuthType Basic AuthBasicProvider ldap # AuthzLDAPAuthoritative must be explicitly set because the default setti= ng is "on" and authentication attempts for valid-user will fail otherwise. AuthzLDAPAuthoritative off # Note: We are only looking for users that belong to a certain OU of yadd= a1 AuthLDAPURL "ldap://servername.domain:389/OU=3Dyadda1,OU=3Dyadda,DC=3Ddom= ain,DC=3Dorganization,DC=3Dgov?sAMAccountName?sub?(objectClass=3D*)" AuthLDAPBindDN "CN=3DAD Query Account,OU=3DService Accounts,OU=3Ddept,DC= =3Ddomain,DC=3Dorganization,DC=3Dgov" AuthLDAPBindPassword bind_password # If AuthzLDAPAuthoritative was set to 'on', then you can list required u= sers in the following directive #Require user "me" "someotheruser" # Grants access to any user that has successfully authenticated during th= e search/bind phase Require valid-user # Allows the request if any requirement is met (authentication OR access)= , can use 'all' to force both requirements Satisfy any # Authorization: Path-based access control; authenticated users can acces= s paths for read/write specfied in this file. AuthzSVNAccessFile "C:\svn_passwd\svn-auth.authz" SVNAutoversioning on # Enable Subversion logging CustomLog logs/subversion.log combined Leo --_000_D72C174D3CAC0A4E812FAD012D646E9F256B085643CMS1enterpris_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Would someone be= willing to nitpick this configuration? 

 

The goal is setting up a s= elf-signed certificate and enabling SSL and LDAP authentication for a subve= rsion repository. 

This configurat= ion is located in subversion.conf 

The version of Apache httpd in this subversion product is:  2.2.25

 

= This configuration is working, but I was hoping someone might spot somethin= g I’ve missed or perhaps suggest some best practices?

<= p class=3DMsoNormal> 

 

# VirtualHost is set to: 8443 for SSL

= <VirtualHost *:8443>

KeepAlive On

 

# This directive toggles t= he usage of the SSL/TLS Protocol Engine. This should be used inside a <V= irtualHost> section to enable SSL/TLS for a that virtual host.

SSLEngine On

SSLCertificateFile = "C:\Program Files (x86)\Subversion\Apache2\ssl\apache.crt"

SSLCertificateKeyFile "C:\Program Files (x86)\Subv= ersion\Apache2\ssl\apache.key"

 

# The <Location> directive limits the scope of the= enclosed directives by URL, in this case the URL of /svn=

<Location /svn>

 

  DAV svn

  SVNParentPath &= quot;C:\repositories"

 

 # Let the users browse the parent path /svn

  SVNListParentPath on

 <= /o:p>

  # SVNParentPath and authz fix http://subversion.= tigris.org/issues/show_bug.cgi?id=3D2753

  Re= directMatch ^(/svn)$ $1/

 =

  # Authentication: LDAP

  Order= deny,allow

  Deny from All=

  AuthName "my auth name"

&= nbsp; AuthType Basic

  AuthBasicProvider lda= p

 

  # AuthzLD= APAuthoritative must be explicitly set because the default setting is "= ;on" and authentication attempts for valid-user will fail otherwise.

  AuthzLDAPAuthoritative off=

 

  # Note: We are only looking = for users that belong to a certain OU of yadda1

&n= bsp; AuthLDAPURL "ldap://servername.domain:389/OU=3Dyadda1,OU=3Dyadda,= DC=3Ddomain,DC=3Dorganization,DC=3Dgov?sAMAccountName?sub?(objectClass=3D*)= "

  AuthLDAPBindDN "CN=3DAD Query A= ccount,OU=3DService Accounts,OU=3Ddept,DC=3Ddomain,DC=3Dorganization,DC=3Dg= ov"

  AuthLDAPBindPassword bind_password=

 

=   # If Authz= LDAPAuthoritative was set to 'on', then you can list required users in the = following directive

  #Require user "m= e" "someotheruser"

 

  # Grants access to any user that has successfu= lly authenticated during the search/bind phase

&nb= sp; Require valid-user

 

  # Allows the request if any requirement is met (authentication = OR access), can use 'all' to force both requirements

<= p class=3DMsoNormal> 

=

  # Authorization: Path-based access control; authenticated users = can access paths for read/write specfied in this file.

  AuthzSVNAccessFile "C:\svn_passwd\svn-auth.authz"

 

  SVNAutoversion= ing on

</Location>

 

# Enable Subversion logging

CustomLog logs/subversion.log combined

</VirtualHost>

 

 =

Leo

= --_000_D72C174D3CAC0A4E812FAD012D646E9F256B085643CMS1enterpris_--