Subversion + Apache + LDAP on Solaris
A few weeks ago I setup a subversion server for some prototype development. It took some research and quite a bit of trial and error to get all the dependencies and various pieces put together, so today I went through the process again and recorded the steps. The goal is to get a subversion server setup using http(s) URLs and LDAP for authentication, plus ViewVC for web based viewing of the repository.
- Dependencies for Apache/Subversion
- OpenSSL for https support. Packages are included in Solaris 10. Alternative: separate compilation of newer OpenSSL version.
- LDAP for authentication support. SUNWlldap package is included in Solaris 10. Alternative: OpenLDAP
- Requirements for ViewVC:
- Python to run ViewVC. SUNWPython (python 2.4.4) package included in JDS. Alternative: SMCpython (python 2.5.1) package from sunfreeware.com
- SWIG for subversion-python bindings. Compile and install from website (see some notes in subversion/bindings/swig/INSTALL included with subversion source code). Alternative: SMCswig + SMClibgcc packages from sunfreeware.com
- diffutils so ViewVC can display differences between file revisions. Compile and install from website. Alternative: SMCdiffu package from sunfreeware.com or SFWdiffu package (I think from Solaris Companion disk, installs into /opt/sfw/bin/gdiff)
- Apache 2.2.4 webserver
- Subversion 1.4.3
- Add ac_cv_python_compile="cc -DNDEBUG -O2 -Kpic" right after each line that defines that variable.
- Add ac_cv_python_link="cc -G" right after each line that defines that variable.
- Add ac_cv_python_libs="-lssl -lxml2" right after each line that defines that variable.
- Repository setup
- svnadmin create /path/repository_name
- Make repository writable for webserver user: chown -R webservd:webservd /path/repository_name
- Add block in httpd.conf to make the repository accessible via the webserver and use LDAP for authentication:
- ViewVC 1.0.4
- ./viewvc-install
Entered /usr/local/viewvc for install path. - ln -s ../../viewvc/templates/docroot /usr/local/apache2/htdocs/viewvc.d
- Edit /usr/local/viewvc/viewvc.conf (set svn repository path, docroot, etc)
- Make sure PATH for webserver environment lists /usr/local/bin before /usr/bin so that ViewVC will find GNU diff and not the Solaris /usr/bin/diff. Alternative: get latest development version of ViewVC from its svn repository (or a newer released version than 1.0.4 if one has come out). Then you can configure the location of diff in the viewvc.conf file.
- Add block in httpd.conf so ViewVC can run. Optionally add a <Location /viewvc> block similar to the one above (minus DAV and SVNPath) to use LDAP authentication for ViewVC too.
set path=(/path/to/sunstudio,v11.0/SUNWspro/bin /usr/ccs/bin /usr/openwin/bin /usr/local/bin /usr/sbin /usr/bin .)
./configure --with-ssl=/usr/sfw --with-ldap --enable-mods-shared="ssl deflate rewrite ldap authnz-ldap dav dav-fs dav-lock"
make install
The apache modules list includes ssl for https support, ldap authentication modules (note the extra --with-ldap flag also needed), dav modules required for subversion, and deflate for compression when subversion interacts with the server. Also threw in mod_rewrite. After install, configure /usr/local/apache2/conf/httpd.conf (user/group, serveradmin, etc).
Solaris 10 does include an Apache 2.0 package, but it does not have LDAP support. I tried to compile just the LDAP modules and add them in, but was unsuccessful (probably because the core code wasn't built with the --with-ldap flag?), so that's why I did my own Apache 2.2 build. By changing a couple paths in /lib/svc/method/http-apache2 and setting logfile/pidfile locations in httpd.conf you can use svcadm to manage this Apache build instead of the bundled one.
See additional detail about these steps in INSTALL and subversion/bindings/swig/INSTALL files. I ran into a couple problems with the builds for subversion and python bindings. The first was in finding the OpenSSL libraries near the end of the subversion build.. fixed this by setting LDFLAGS below. The second was in building the python bindings with sunstudio compiler when using the SMCpython package. The build process determines that python was built with gcc so it tries to use gcc for building the bindings even though gcc is not present. After resolving this, the bindings failed to load due to missing symbols.. no idea why these libraries did not link to all the required libraries.. to avoid these problems, extract the subversion-1.4.3 and subversion-deps-1.4.3 files and then modify the configure script as follows:
setenv LDFLAGS '-R/usr/sfw/lib'
./configure --with-apxs=/usr/local/apache2/bin/apxs --with-ssl --without-berkeley-db --with-apr=/usr/local/apache2 --with-apr-util=/usr/local/apache2
make install
make swig-py
make install-swig-py
echo /usr/local/lib/svn-python > /usr/local/lib/python2.5/site-packages/subversion.pth
unsetenv LDFLAGS
<Location /svn/test>
DAV svn
SVNPath /path/repository_name
AuthType basic
AuthName "svn repository"
AuthBasicProvider ldap
AuthLDAPUrl ldap://server.domain.com/ou=people,dc=domain,dc=com
AuthzLDAPAuthoritative off
<LimitExcept GET PROPFIND OPTIONS REPORT>
require valid-user
require user johndeveloper janedeveloper
</LimitExcept>
SetOutputFilter DEFLATE
</Location>
Adjust SVNPath, AuthName and AuthLDAPUrl as needed. The <LimitExcept> part makes the repository have public read access and only require authentication for modifications/commits. To always require authentication, remove the start/end tags for LimitExcept but keep the require line(s). Always use require valid-user.. optionally use the require user to limit which LDAP users are allowed.
ScriptAlias /viewvc /usr/local/viewvc/bin/cgi/viewvc.cgi
<Directory /usr/local/viewvc/bin/cgi>
Order allow,deny
Allow from all
</Directory>
Finally start or restart apache and try out all the pieces. Do a checkout of the repository, commit a revision and view the log in a browser.
Posted at 10:16AM May 01, 2007 by mindless in Sun | Comments[6]
I did this setup again on a new S10u3 system, this time using Apache 2.2.6 and Subversion 1.4.5. I used the python included with S10 instead of the SMCpython package, so I did not need to modify the subversion configure script as described above. However, I did hit a new problem:
ld: fatal: recording name conflict: file `/usr/sfw/lib/libexpat.so' and file `/usr/local/apache2/lib/libexpat.so' provide identical dependency names: libexpat.so.0 (possible multiple inclusion of the same file)
To get around this I reextracted the subversion source files, ran the configure step and then manually edited the Makefile that was created. I removed "-lexpat" from the Makefile, which I found in just one place. The "make install" process now ran successfully.
Posted by Alan on November 13, 2007 at 08:13 AM PST #
One more item: I had to rebuild including --enable-shared on the subversion configure line. This should be the default, but viewvc got errors about SSL_shutdown symbol not found.. this page gave me the workaround:
http://svn.haxx.se/users/archive-2006-10/0393.shtml
Posted by Alan on November 13, 2007 at 11:05 AM PST #
Hi Alan,
Your post was very helpful. I followed the instructions you've given here to set up subversion authentication with LDAP and the checkout works, but when I try to commit, I get an error message saying 'commit failed... 500 Internal Server Error'. Do you have any idea what the problem might be ?
Posted by Divya on June 11, 2008 at 10:04 PM PDT #
Hi Divva-
You'll need to check your webserver logs for error details..
Posted by Alan on August 19, 2008 at 01:50 PM PDT #
I wish Solaris 10 had an easier way to build and deploy Subversion. I have been struggling with the newer version 1.5.6. Where as other *nix already has binaries available
Posted by ken on March 15, 2009 at 12:17 PM PDT #
CollabNet now makes nice Solaris packages available: http://www.open.collab.net/downloads/subversion/solaris.html
Posted by Alan on August 27, 2009 at 09:24 PM PDT #