ADISS - Active Directory Interface
for Subversion Security
ADISS is a simple tool to automated the generation
of Subversion AuthzSVNAccessFiles. The simple web interface
allows the administrator to define the repostirory paths,
the full path to the AuthzSVNAccessFile and the LDAP filter
for the Active Directory group that will be used to control
access. The script adiss_batch.php (run via a cron job or
scheduled task you create at the interval you define)
Apache,
mySQL, PHP. Written and tested on Linux by should work on
other operating systems. Uses PHP_LDAP and PHP_MYSQL.
Free
to use, modify and distribute under the terms of the GNU
GPL
Theory of Operation
Screenshots can be found here
Download avaialble from the project
page on Sourceforge
Obtain and extract the tarball to a location
under your web server's root directory, for example:
cd /var/www/html
tar -zxvf adiss-0.90.tgz
Rename the directory if so desired:
mv adiss-x.xX adiss
Set permissions on the directory so that the account your
web server runs as has permissions to the files:
chown -R apache:apache adiss
Create the database:
cd adiss
mysql
create database adiss;
grant SELECT, INSERT, UPDATE, DELETE on adiss.* to adiss@localhost
identified by 'password';
flush privileges;
quit
mysql adiss < create_tables.sql (the file is misnamed as
create_tables.sql.sql in the intital release, jsut rename
it or use the correct file name)
Modify the config.inc.php file to match your environment.
(the instructions in the INSTALL.txt file have this as config.in.php
- it should be config.inc.php)
$db_host = "localhost";
$db_name = "adiss";
$db_user = "adiss";
$db_pass = "password"; # from create database section
above
$ldap_server = "adserver.domain.com"; # The GC or
AD server
$ldap_server_port = "3268"; # Use port 389 if you'd
are using a DC, I prefer to use port 3268 on the Global Catalog
server
$bind_user = "adiss@domain.com";
$bind_pass = "password";
$base_dn = "DC=domain, DC=com";
You should secure this site unless you are OK with anyone
manaing your settings (not recommended). The application is
really intended as an intranet only
applicaiton, expose this to the Internet at YOUR OWN RISK.
Here is an example of an Apache configuration file (to be
placed in /etc/httpd/conf.d or other server specific location
as adiss.conf or other name of your choice) to secure this
site. Obviously you will need to customize this for your site/environment:
<Directory /var/www/html/adiss>
AuthType Basic
AuthName "DOMAINNAME"
AuthLDAPURL ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
AuthLDAPBindDN DOMAIN\adiss
AuthLDAPBindPassword password
Require valid-user
# If you want to be more specific you could use the line below
Require user username1 username2
Options Indexes FollowSymLinks
AllowOverride All
order allow,deny
allow from all
</Directory>
Restart Apache after adding the above (service httpd restart
or other server specific command).
Launch a browser and visit the URL http://yourhost/adiss
When you define a repository and all relevant data adiss
will create the AuthzSVNAccessFile at the location specified
after getting the list of members
via LDAP query to AD. To enable the interface to detect changes
to AD groups and update the AuthzSVNAccessFile you will need
to schedule adiss_batch.php
to run at some interval. The updates are intelligent in that
adiss track the USNChanged AD attribute in the database and
will skip updating the
AuthzSVNAccessFile for groups that have not changed. The interface
also provides a mechanism (via the additions field) to define
additional users to be
granted access (either read-only or read-write, whereas all
group members are granted read-write access).
Project hosting provided by Sourceforge
|
