When configuring Apache with mod_svn for Subversion repositories, many teams face this common scenario: LDAP authentication works perfectly for domain users, but you need to accommodate service accounts or build machines that can't be added to your corporate directory. Here's how to implement a solution that checks credentials against both LDAP and an htpasswd file.
Your httpd.conf or virtual host configuration needs these directives:
<Location /svn>
DAV svn
SVNPath /path/to/repository
# LDAP Configuration
AuthType Basic
AuthName "Subversion Repository"
AuthBasicProvider ldap file
AuthLDAPURL "ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid?sub?(objectClass=*)"
AuthLDAPBindDN "cn=admin,dc=example,dc=com"
AuthLDAPBindPassword "admin_password"
# htpasswd Configuration
AuthUserFile /path/to/svnusers
Require valid-user
</Location>
For your build machine account, create a separate credential store:
htpasswd -c /path/to/svnusers builduser
The -c flag creates a new file. Omit it when adding subsequent users.
Apache's AuthBasicProvider directive processes providers in the order specified. In our configuration:
- Apache first attempts LDAP authentication
- If LDAP fails, it checks the
htpasswdfile - Access is granted if either authentication succeeds
If authentication fails:
- Verify file permissions on
svnusers(Apache needs read access) - Check SELinux contexts if applicable:
chcon -R -t httpd_sys_content_t /path/to/svnusers - Test LDAP connectivity separately with
ldapsearch
For production environments:
# Restrict htpasswd access to specific IPs
<RequireAny>
Require ldap-group cn=svn-users,ou=groups,dc=example,dc=com
Require ip 192.168.1.100 # Build machine IP
</RequireAny>
When configuring Apache with mod_svn for Subversion repositories, many teams face this exact scenario: LDAP works perfectly for regular domain users, but you need special-case authentication for service accounts like build machines. The key is implementing a fallback mechanism where Apache checks both LDAP and local htpasswd credentials.
Apache 2.4+ supports chaining authentication providers using the AuthBasicProvider directive. Here's the magic combination:
<Location /svn>
DAV svn
SVNPath /var/svn/repository
AuthType Basic
AuthName "Subversion Repository"
# The critical line combining both providers
AuthBasicProvider ldap file
# LDAP configuration
AuthLDAPURL "ldap://ldap.example.com:389/dc=example,dc=com?uid?sub?(objectClass=*)"
AuthLDAPBindDN "cn=admin,dc=example,dc=com"
AuthLDAPBindPassword "password"
# htpasswd configuration
AuthUserFile /etc/apache2/svn-htpasswd
Require valid-user
</Location>
For your build machine, create a dedicated user in the htpasswd file:
htpasswd -c /etc/apache2/svn-htpasswd builduser
The -c flag creates the file if it doesn't exist. For subsequent users, omit -c to avoid overwriting.
When this setup fails, check these common issues:
- Verify both providers are listed in
AuthBasicProvider(order matters) - Check file permissions on
svn-htpasswd(Apache needs read access) - Test LDAP connectivity separately with
ldapsearch - Enable Apache debug logging with
LogLevel debug
For high-traffic SVN servers, remember that:
- LDAP authentication adds latency compared to local files
- The provider chain stops at first successful authentication
- Caching can be implemented with
mod_authn_socache
For more complex scenarios, you might need:
AuthBasicProvider ldap AuthBasicProvider file Require ldap-user OR require valid-user Satisfy any
This creates a true OR condition between authentication methods.
- Always use HTTPS with Basic auth
- Restrict
htpasswdaccess to service accounts only - Regularly audit local credentials
- Consider IP restrictions for build machine access