I have an Ubuntu server 11.04 on ec2 (I'm mentioning this, as it appears things have changed in this version from previous ubuntu releases, when it regards LDAP configuration).
I want to configure it as a subversion server with trac, for private repositories (i.e. a user must have a username:password and privileges to view or commit to svn, and to view or make changes in trac).
Since I wanted to make sure it is secure, I first chose an option of svn+ssh, meaning I have to create a linux user for each person that needs access to svn. But I couldn't find a way to use the same users for trac - meaning I will have to create manually a user in trac for each user I create in the linux machine, and this could lead to different password between svn and trac - in short: a mess.
So I decided to go and implement an openldap server, which will give the option to use ldap users for other features in the future.
The only guide I found which worked in configuring the openldap part, was this one ("The Guide").
However, when I got to the kerberos part - I got some questions I didn't know how to answer them, and then I got errors, so no kerberos.
Some notes:
The server will eventually be something like
svn.myserver.com. However, there's no dns record for it yet.Taking the previous note in consideration, I used the
svn.myserver.comname when configuring openldap as said in the guide above (I did not do the first two parts of the guide, so I had to run thesudo dpkg-reconfigure slapdcommand to reconfigure, and useddc=svn,dc=myserver,dc=comeverywhere instead ofdc=danbishop,dc=orgorsvn.myserver.cominstead ofdanbishop.org).In the kerberos part of the guide, when running the
sudo apt-get install krb5-kdc krb5-admin-servercommand, I was asked the following:- The realm - I wrote
SVN.MYSERVER.COM - Something about servers - I wrote
localhost - Something about administrator server - I wrote
localhost
When the questions were over, and it continued to configure kerberos, there were some
File or directory not founderrors, and aan error has occured, see logkind of message. However, I did not find any log file.- The realm - I wrote
There might be a better way to do it, and there might be another solution to get what I want (unified user management for both svn, trac and such other future apps), but since the svn and bug tracking features are suppose to survive a long time, and not pose any difficulties, it is important for me to choose the right solution, and configure it the right way (There is more than one right way, I'm sure, but I don't want to choose a lousy way).
I would really appreciate help with this, as I've been messing around with this for a few days now, feeling like I'm wasting time.
One hint for Kerberos: You have to get your DNS right before you configure Kerberos or you can run into all sorts of trouble. So, create the relevant DNS entries first and don't continue before this is done.
That said, I don't really think that Kerberos is necessary in your case. It's still a notoriously complicated thing to get working right and I don't think the result will be worth the trouble. Primarily, it's useful for providing a single-sign-on solution, so if you get it right, you log into your (system) user account and 'magically' all kerberized services will work without a login.
So, if you configure your system to authenticate against LDAP via PAM and do the same for Trac, you should be fine.
i would use likewise-open to join the domain and conf the kerberos and add in the dav_svn.conf use
in the svn.conf add users u want to have rights on repos. be aware put the domain name in uppercase as [email protected] kerberos wants it like that