Building a Versioning Document Repository

Using Apache HTTP Server, OpenLDAP, and SubversionBy: Craig A. McElroy

Who Am I?

• Co-founder of Metissian & Contegix

• Contegix is a colocation and managed hosting company specializing in Linux and Mac OS X located in downtown St. Louis, MO.

• Maintainer of Subversion OS X Packages at http://www.metissian.com

• Early adopter of the Subversion version control system

• Been using it since pre 1.0 release for source control, document versioning, etc.

Document Repository • A document repository is any central storage location

for documents.

• Various storage and access mechanisms

• NFS

• Samba

• Simple Web Application

• WebDAV

WebDAV • What is WebDAV?

• Briefly: WebDAV stands for “Web-based Distributed Authoring and Versioning”

• Set of extensions to the HTTP protocol which allow remote collaborative authoring of web resources.

• Defined in RFC 2518

• Visit http://www.webdav.org/ for more information.

WebDAV Servers• Apache HTTP Server

• mod_dav - Base WebDAV support module which requires another module to define the storage implementation.

• mod_dav_fs - WebDAV module provided by Apache which uses underlying filesystem for storage.

• Other mod_dav implementations exist (as we’ll see in a bit)

WebDAV Servers• Jakarta Slide

• http://jakarta.apache.org/slide/index.html

• Zope

• http://www.zope.org/

• .Mac

• Apple’s .Mac service is WebDAV based.

• A number of other Open Source and Commercial servers.

WebDAV Clients• Nautilus 2

• Official file manager/browser for GNOME.

• http://www.gnome.org/projects/nautilus

• Linux davfs2

• A filesystem module for the Linux kernel based on Coda (http://coda.cs.cmu.edu/)

• http://dav.sourceforge.net/

• Cadaver Command Line Client

• http://www.webdav.org/cadaver/

WebDAV Clients• Mac OS X

• Apple’s OS X has an integrated WebDAV client.

• Prior to 10.4 did not support https.

• Win32 WebFolders

• Windows 98, 2000, and XP have an integrated WebDAV client known as “WebFolders”

• Not as integrated as Apple’s implementation.

• WebDrive Commercial Windows Client

• http://www.southrivertech.com/

DeltaV Extensions• Despite the “V” in WebDAV, there is no versioning

model included in the WebDAV RFC.

• Because RFC 2518 left out versioning concepts, another capable group was left with the responsibility of writing RFC 3253, which adds versioning to WebDAV.

• WebDAV/DeltaV clients and servers are often called just “DeltaV” clients and servers, since DeltaV implies the existence of basic WebDAV.

DeltaV• The coolest feature of the DeltaV extensions is

Autoversioning.

• Allows basic WebDAV clients that are not aware of versioning to create new versions by simply doing a PUT operation.

• The server will translate that to the series of operations that will generate a new version of the existing file.

• In the event of a needed file restore, a system administrator could simply pull an old version.

LDAP• What is LDAP?

• Lightweight Directory Access Protocol

• Designed at the University of Michigan to adapt a complex enterprise directory system (called X.500) to the modern internet.

• De-facto standard for user information storage, searching, and authentication.

• Many implementations of LDAP Servers

• Tremendous client support

LDAP Servers• OpenLDAP - http://www.openldap.org/

• Open Source LDAP Server

• Novell eDirectory

• Red Hat Directory Server (Formerly Netscape Directory Server)

• Microsoft Active Directory

• Supports the LDAP interface, but has some quirks

• Apache DS - Pure Java LDAP Server

• http://directory.apache.org/subprojects/apacheds/

LDAP Clients• Nearly all E-Mail clients support LDAP Database

searches

• Apache Authentication Modules

• Apache 2.0: mod_auth_ldap

• http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html

• Apache 2.1: mod_authnz_ldap

• http://httpd.apache.org/docs-2.1/mod/mod_authnz_ldap.html

Subversion• http://subversion.tigris.org/

• Subversion is a version control system with a WebDAV/DeltaV server implementation for Apache

• mod_dav_svn Apache Module

• Subversion was designed to be a replacement for CVS in the version control realm

• Provides many added benefits because of it’s WebDAV/DeltaV capabilities

DeltaV in Subversion• Currently, not all features of DeltaV are implemented

in Subversion, but most of the core ones are.

• RFC 3253 is still relatively new, and Subversion developers intend to improve support in future releases.

• But, what about Autoversioning?!?!?

Autoversioning• Does autoversioning really work in Subversion?

• Well, sort of.

• At this time, Subversion still lacks support for the WebDAV LOCK and UNLOCK methods, so editing a file in place is not supported.

• Can still copy the file to local filesystem, edit it, and copy it back.

• Come on? Is this really the best we can do?

mod_dav_lock• Apache 2.1 (still in beta) has introduced a new

mod_dav_lock module.

• http://httpd.apache.org/docs-2.1/mod/mod_dav_lock.html

• Provides a generic locking API which can be used by any backend provider of mod_dav (mod_dav_svn in our case)

• Uses a file based lock database to provide the locking mechanism that would otherwise be missing from Subversion’s DeltaV support.

• Creates the “illusion” that the lock was accepted.

Why These?• This exact configuration was implemented for a client late 2004.

• Why WebDAV?

• Needed to support multiple platforms.

• Needed to be able to securely access data.

• Why LDAP?

• Client also wanted to consolidate user accounts between a dozen servers, miscellaneous web applications (including Bugzilla), etc.

• The Document repository need the same accounts.

• Why Subversion?

• Subversion was already being used for version control system for source code.

Configuration & Demo• OpenLDAP

• http://www.openldap.org/

• phpLDAPadmin

• http://phpldapadmin.sourceforge.net/

• Apache HTTP Server 2.1 (Beta)

• http://httpd.apache.org/

• Subversion 1.2 (RC)

• http://subversion.tigris.org/

OpenLDAP• Included with any modern Linux distribution

• RHEL v.4 comes with OpenLDAP 2.2

• Edit /etc/openldap/slapd.conf

• Define suffix, rootdn, and rootpw• suffix “dc=contegix,dc=com”

• rootdn “cn=Manager,dc=contegix,dc=com”

• rootpw {SSHA}................................

• Encrypted rootpw value can be generated using slappasswd

OpenLDAP• Start OpenLDAP Server

• Do a simple test using:•ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

• If this works, we are ready to begin populating the LDAP database.

• Option 1: Use .ldif files and ldapadd commands

• Option 2: Use a LDAP client utility

• phpLDAPadmin

phpLDAPadmin• Install to a location where it is accessible from a

webserver.

• Edit the config.php file

• Define the values for host, base, and auth_type• $servers[$i][‘host’] = ‘localhost’;

• $servers[$i][‘base’] = ‘dc=contegix,dc=com’;

• $servers[$i][‘auth_type’] = ‘session’

• An auth_type of session will prompt for a login upon accessing the application.

Setup LDAP Objects Using phpLDAPadmin• Create the Organization with dcObject and

organization objectClass

• o = Contegix LLC

• Manager organizationalRole

• cn=Manager,dc=contegix,dc=com

• People organizationalUnit

• ou=people

• Users, users, users

• Use simpleSecurityObject for our example

Apache HTTP 2.1• As Apache 2.1 is still Beta, it is most likely not included

with any Linux distribution.

• Download and build the latest source tarball.

• Important configure options• --prefix=/opt/httpd/httpd-2.1.x

• --with-ldap

• --enable-mods-shared=all

• --enable-dav-lock

• --enable-ldap

• --enable-authnz-ldap

Apache HTTP 2.1• Edit httpd.conf

• Specify User and Group

• User webdav

• Group webdav

• Ensure that the ldap_module is loaded before authnz_ldap_module in the LoadModule directives (is not in the default configuration file)

Subversion 1.2• While a relatively recent version of Subversion ships with

most Linux distributions, we will need to build against the Apache just built.

• Download and build the latest source tarball.

• Important configure options• --prefix=/opt/subversion/subversion-1.2.x

• --with-ssl

• --with-zlib

• --with-apr=/opt/httpd/.../apr-1-config

• --with-apr-util=/opt/httpd/.../apu-1-config

• --with-apxs=/opt/httpd/.../apxs

Creating the Repository

• Setup repository and locks directories.• mkdir /opt/subversion/repos

• mkdir /opt/subversion/locks

• Create the repository with proper permissions.• svnadmin create /opt/subversion/repos/webdav

• chown -R webdav:webdav /opt/subversion/repos/webdav

Putting It All Together• Apache Configuration

<Location /> DAV svn SVNPath /opt/subversion/repos/webdav SVNAutoversioning on DavGenericLockDB /opt/subversion/locks/davlock

AuthBasicProvider ldap

AuthLDAPUrl ldap://localhost:389/ou=People,dc=contegix,dc=com AuthzLDAPAuthoritative off

AuthType basic AuthName "Contegix WebDAV" Require valid-user</Location>

• Startup Apache

Other Concerns• SSL

• For the sake of simplicity of our demonstration, we did not enable HTTPS for the Apache WebDAV server, or TLS for the OpenLDAP server.

• Client compatibility

• At this time, WebDAV support is still rather inconsistent.

• Different clients have varying levels of support, and various quirks that should be considered that this time.

Other Concerns• Limiting Access by Groups

• Can also configure Apache to require that users be members of a given group in order to access WebDAV share

• Controlled access by Directory

• Subversion’s mod_dav_svn can be configured to restrict read and/or read/write access by directory within the WebDAV share.

• Unfortunately, this feature does not currently support LDAP groups.

Future• Directory level permissioning.

• Subversion developers intend to add support for having groups defined by external authentication mechanisms.

• DeltaV locking support built into Subversion

• Better compatibility between various DeltaV clients.

• Currently a true DeltaV client may or may not interoperate well with a mod_dav_svn server.

Q & A