This blog post is not intended to replace the installation documentation put out by Atlassian. Instead, I would like to share information about the integration and installation that you may find useful.
Crowd is a single sign on server application that allows multiple web applications to log on using a centralized user repository. The greatest beauty of Crowd is that it integrates with LDAP (Active Directory) and also allows you to create additional users not associated with the Active Directory giving system administrators the ability to grant contractors access to selected resources without bringing them full onto the network.
Subversion is a source control tool that integrates well with Apache. When integrated with Apache, subversion becomes a read only web application with exposed APIs for active source control management with a subversion client.
When Subversion is integrated with Apache, and Apache is integrated with Crowd, Subversion is then easily integrated with Crowd.
By integrating Apache with Crowd, any web application can make use of Basic Authentication requiring a user to log on with the credentials stored in Crowd. These applications are best run under https so as to avoid sending plain text authentication information over the network.
When integrating Apache with Crowd, the Subversion server instance which by default allows connections over port 3690 is not used. There is no need to start or kill the svnserve services on the Linux server when integrated with Apache. The configuration files in the subversion conf directory are not used. However, you can still start the service running independent of your Crowd / Apache instance if desired – making full use of the configuration files that come out of the box with Subversion.
In doing the installation, I ran into two issues.
Issue 1 – Perl Modules
When doing the installation of setting up Apache, Crowd, and Subversion, there are several perl modules which must be downloaded and installed onto your linux box. I ran into an issue with these libraries which took some time to figure out. I have recommended to Atlassian that they update thier documentation accordingly.
The SOAP::Lite libraries did not properly install out of the box due to one of the Core Perl packages not being part of the default installations of Fedora and Cent OS. The missing Core Perl package is the perl – version package.
I would get to the installation of the Apache-CrowdAuth-1.2.3 and I get the following message.
[root@trisummitjira Apache-CrowdAuth-1.2.3]# perl Makefile.PL
Checking for required modules:
Atlassian::Crowd is installed… no
Cache::Cache is installed… yes
Digest::SHA1 is installed… yes
Error is installed… yes
SOAP::Lite is installed… yes
You must install Atlassian::Crowd, Cache::Cache, Digest::SHA1, Error, SOAP::Lite
[root@trisummitjira Apache-CrowdAuth-1.2.3]#
This problem was solved by downloading the Perl Version modules from CPAN at
http://search.cpan.org/dist/version/ then doing the installation using
perl Makefile.PL
make
make install
Afterwards, I was able to properly install the SOAP-Lite package.
Then the rest of the installation worked.
Issue 2 – Running Subversion in the sites Root directory
The answer is – don’t do it. It does not work. I was attempting to use the site http://svn.trisummit.net and have this serve as the web based repository for my source control. It origninally had the appearance of working. Or shall I say that it works for the Read-only functionality of Subversion. However, when I would try to commit files to subversion, I would get a Permission Denied error. I discovered a web posting where I was told not use the / root of the website (sorry I don’t have the link). So instead, I moved Subversion to http://trisummit.net/svn – a subdirectory of this blog. Then it worked like a charm. It was even better when I changed to using https://trisummit.net/svn; because then the basic authentication plain text security issue was solved.
Don’t do this
<pre>
<VirtualHost 173.201.176.190:80>
ServerAdmin brian@trisummit.net
ServerName svn.trisummit.net
ErrorLog logs/svn.trisummit.net-error_log
CustomLog logs/svn.trisummit.net-access_log common
<location />
DAV svn
SVNPath /var/svn/projects
AuthName subversion
AuthType Basic
PerlAuthenHandler Apache::CrowdAuth
PerlSetVar CrowdAppName subversion
PerlSetVar CrowdAppPassword myPasswordInCrowd
PerlSetVar CrowdSOAPURL http://localhost:8095/crowd/services/SecurityServer
PerlAuthzHandler Apache::CrowdAuthz
PerlSetVar CrowdAllowedGroups subversion-users
Require valid-user
</location>
</VirtualHost>
</pre>
The below implementation will work – however the <location /svn> tag is best placed in the ssl.conf directory where your security certificate is configured:
<pre>
<VirtualHost 173.201.176.190:80>
ServerAdmin brian@trisummit.net
DocumentRoot /var/www/html/trisummit
ServerName trisummit.net
ServerAlias trisummit.net www.trisummit.net
ErrorLog logs/trisummit.net-error_log
CustomLog logs/trisummit.net-access_log common
<location /svn>
DAV svn
SVNPath /var/svn/projects
AuthName subversion
AuthType Basic
PerlAuthenHandler Apache::CrowdAuth
PerlSetVar CrowdAppName subversion
PerlSetVar CrowdAppPassword mypasswordInCrowd
PerlSetVar CrowdSOAPURL http://localhost:8095/crowd/services/SecurityServer
PerlAuthzHandler Apache::CrowdAuthz
PerlSetVar CrowdAllowedGroups subversion-users
Require valid-user
</location>
</VirtualHost>
</pre>
Following this change, I was able to save my commits to Subversion using the user credentials stored in Crowd. Pretty slick. A C program on Linux authenticating to the crowd SSO server. I like it.
Anyways, I am really very pleased with this implementation. My source code is now externally accessible yet password protected with a single sign on server. The application is configurable so that I can give access to certain projects to certain people while holding back access to others. And best of all, I don’t have to worry about being on the network when I am on the road.
Two thumbs up for integrating Subversion with Crowd and Apache.
Comments