ADISS - Active Directory Interface for Subversion Security

ADISS is a simple tool to automated the generation of Subversion AuthzSVNAccessFiles. The simple web interface allows the administrator to define the repostirory paths, the full path to the AuthzSVNAccessFile and the LDAP filter for the Active Directory group that will be used to control access. The script adiss_batch.php (run via a cron job or scheduled task you create at the interval you define)

Technology - Apache, mySQL, PHP. Written and tested on Linux by should work on other operating systems. Uses PHP_LDAP and PHP_MYSQL.

Licensing - Free to use, modify and distribute under the terms of the GNU GPL

Theory of Operation

The Active Directory groups you enter should already be defined in AD as adiss will seek to query group membership as you add them. If you create mail enabled groups in AD, you may define the owner of the groups as the repository owner and that person will be able to add/remeove members to the group using Outlook. In this fashion you have effectively delegated admin rights for each repository without granting anyone any elevated rights on your Subversion server. More details on how to use ADISS can be found in the README file. Additional usage information is availalble at http://seigafuse.com/?page_id=5

Screenshots can be found here

Downloads

Download avaialble from the project page on Sourceforge

Installation

Obtain and extract the tarball to a location under your web server's root directory, for example:

cd /var/www/html
tar -zxvf adiss-0.90.tgz

Rename the directory if so desired:

mv adiss-x.xX adiss

Set permissions on the directory so that the account your web server runs as has permissions to the files:

chown -R apache:apache adiss

Create the database:

cd adiss
mysql
create database adiss;
grant SELECT, INSERT, UPDATE, DELETE on adiss.* to adiss@localhost identified by 'password';
flush privileges;
quit
mysql adiss < create_tables.sql (the file is misnamed as create_tables.sql.sql in the intital release, jsut rename it or use the correct file name)


Modify the config.inc.php file to match your environment. (the instructions in the INSTALL.txt file have this as config.in.php - it should be config.inc.php)

$db_host = "localhost";
$db_name = "adiss";
$db_user = "adiss";
$db_pass = "password"; # from create database section above
$ldap_server = "adserver.domain.com"; # The GC or AD server
$ldap_server_port = "3268"; # Use port 389 if you'd are using a DC, I prefer to use port 3268 on the Global Catalog server
$bind_user = "adiss@domain.com";
$bind_pass = "password";
$base_dn = "DC=domain, DC=com";

You should secure this site unless you are OK with anyone manaing your settings (not recommended). The application is really intended as an intranet only
applicaiton, expose this to the Internet at YOUR OWN RISK.

Here is an example of an Apache configuration file (to be placed in /etc/httpd/conf.d or other server specific location as adiss.conf or other name of your choice) to secure this site. Obviously you will need to customize this for your site/environment:

<Directory /var/www/html/adiss>
AuthType Basic
AuthName "DOMAINNAME"
AuthLDAPURL ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
AuthLDAPBindDN DOMAIN\adiss
AuthLDAPBindPassword password
Require valid-user
# If you want to be more specific you could use the line below
Require user username1 username2
Options Indexes FollowSymLinks
AllowOverride All
order allow,deny
allow from all
</Directory>

Restart Apache after adding the above (service httpd restart or other server specific command).

Launch a browser and visit the URL http://yourhost/adiss

When you define a repository and all relevant data adiss will create the AuthzSVNAccessFile at the location specified after getting the list of members
via LDAP query to AD. To enable the interface to detect changes to AD groups and update the AuthzSVNAccessFile you will need to schedule adiss_batch.php
to run at some interval. The updates are intelligent in that adiss track the USNChanged AD attribute in the database and will skip updating the
AuthzSVNAccessFile for groups that have not changed. The interface also provides a mechanism (via the additions field) to define additional users to be
granted access (either read-only or read-write, whereas all group members are granted read-write access).

Feeback and Support

Use the Project Forums to request support. If you download and use the package please drop a note in one of the forums to let me know how it is working out for you. I'm very interested in feedback on how it works and areas for improvement.

Project hosting provided by Sourceforge

SourceForge.net Logo
ADISS ©2006 Mike Seigafuse