Overview
ADISS is a simple tool to automated the generation of Subversion AuthzSVNAccessFiles. The simple web interface allows the administrator to define the repostirory paths, the full path to the AuthzSVNAccessFile and the LDAP filter for the Active Directory group that will be used to control access. The script adiss_batch.php (run via a cron job or scheduled task you create at the interval you define)
Technology
Apache, mySQL, PHP. Written and tested on Linux by should work on other operating systems. Uses PHP_LDAP and PHP_MYSQL
Licensing
Free to use, modify and distribute under the terms of the GNU GPL
Theory of Operation
The Active Directory groups you enter should already be defined in AD as adiss will seek to query group membership as you add them. If you create mail enabled groups in AD, you may define the owner of the groups as the repository owner and that person will be able to add/remeove members to the group using Outlook. In this fashion you have effectively delegated admin rights for each repository without granting anyone any elevated rights on your Subversion server. More details on how to use ADISS can be found in the README file. This program also assumes you have already created your Subversion repository. The procedures to create your repository can be found in the Subversion documentation, procedures that are known to work with ADISS are included here for reference.
Creating new repositories
- Login to the Subversion server using an account suitably privileged (account has access to create directories and modify Apache configuration files)
- Select and navigate to a suitable location to store the repository (/home, /var, or other location)
- Execute the command:
svnadmin create –-fs-type fsfs path-to-repository Example – svnadmin create –-fs-type fsfs /home/testrepo
Note: A repository is created with a BerkleyDB back-end by default; thus the fs-type switch must be specified to achieve the correct type of repository
- Next you will need to enable this repository for access via Apache’s WEBDAV. To do this perform the following tasks:
- Navigate to /etc/httpd/conf.d
- Create an Apache configuration file such as the one listed below (items in bold may need to be adjusted to your environment):
| LoadModule dav_svn_module modules/mod_dav_svn.soLoadModule authz_svn_module modules/mod_authz_svn.sodav svn
SVNPath /home/testrepo AuthType Basic AuthName “DOMAINNAME” AuthLDAPURL ldap://ldapserver.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person) AuthLDAPBindDN DOMAINNAME\BIND-ACCOUNT AuthLDAPBindPassword BIND-ACCOUNT-PASSWORD Require valid-user Options Indexes FollowSymLinks AllowOverride None order allow,deny allow from all AuthzSVNAccessFile /var/www/testrepo-access.conf |
- Next, access adiss via the configured url; http:///adiss/; use your DOMAIN username and password.
Screenshots can be found here
Downloads
Download avaialble from the Sourceforge Project Page
Installation
Obtain and extract the tarball to a location under your web server’s root directory, for example:
cd /var/www/html tar -zxvf adiss-0.90.tgz
Rename the directory if so desired:
mv adiss-x.xX adiss
Set permissions on the directory so that the account your web server runs as has permissions to the files:
chown -R apache:apache adiss
Create the database:
cd adiss mysql create database adiss; grant SELECT, INSERT, UPDATE, DELETE on adiss.* to adiss@localhost identified by ‘password’; flush privileges; quit mysql adiss < create_tables.sql (the file is misnamed as create_tables.sql.sql in the intital release, just rename it or use the correct file name)
Modify the config.inc.php file to match your environment. (the instructions in the INSTALL.txt file have this as config.in.php – it should be config.inc.php)
| $db_host = “localhost”;$db_name = “adiss”;$db_user = “adiss”;$db_pass = “password”; # from create database section above
$ldap_server = “adserver.domain.com”; # The GC or AD server $ldap_server_port = “3268″; # Use port 389 if you’d are using a DC, I prefer to use port 3268 on the Global Catalog server $bind_user = “adiss@domain.com”; $bind_pass = “password”; $base_dn = “DC=domain, DC=com”; |
| AuthType BasicAuthName “DOMAINNAME”
AuthLDAPURL ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person) AuthLDAPBindDN DOMAIN\adiss AuthLDAPBindPassword password Require valid-user # If you want to be more specific you could use the line below Require user username1 username2 Options Indexes FollowSymLinks AllowOverride All order allow,deny allow from all |
Restart Apache after adding the above (service httpd restart or other server specific command).
Launch a browser and visit the URL http://yourhost/adiss
When you define a repository and all relevant data adiss will create the AuthzSVNAccessFile at the location specified after getting the list of members via LDAP query to AD. To enable the interface to detect changes to AD groups and update the AuthzSVNAccessFile you will need to schedule adiss_batch.php to run at some interval. The updates are intelligent in that adiss track the USNChanged AD attribute in the database and will skip updating the AuthzSVNAccessFile for groups that have not changed. The interface also provides a mechanism (via the additions field) to define additional users to be granted access (either read-only or read-write, whereas all group members are granted read-write access).
Note: Some users have reported issues with ADISS until an Apache alias directive was added, if you are having problems you may want to try adding the alias directive to the apache configuration file.
Feedback and Support
If you have any feedback on how ADISS works for you, a problem to report or a suggestion to improve ADISS just leave a comment here.
This software is awesome man! I was searching a project administration tool over the browser and had wished that something like this was available.
I may not be very correct, but i have a question.
What if a project admin wants to delete a certain file or dir under the repository of his control?
If I’m not wrong, he cannot do it through your tool.
Otherwise your software rocks man!
Thank you, glad you find it useful. I am assuming you are referring to ADISS and if so you are correct – it doesn’t really do much in the area of repository maintenance/administration other than simplify/automate the integration with Active Directory. If I ever get enough time I would like to do more in the area of repository admin (would like to have it create the repositories as a start). Deleting files/directories out of Subversion may be a bit trickier though as the history will all still be there and the only way I know of to completely remove items is to do a dump and restore with a filter to exclude files you don’t want.
You might also want to checkout http://svnmanager.sourceforge.net/. This looks like a nice tool too, but wasn’t a good match for my requirements.
Mike
I couldn’t understand some parts of this article , but I guess I just need to check some more resources regarding this, because it sounds interesting.
Let me know which parts don’t make sense. I’ll try to improve the documentation if you provide some feedback to help me out with which parts don’t make sense.
Mike
I was excited to see how this tool was going to do. I was sad to see that it does not recursively go through sub-groups. That’d be a nice feature.
Right now, it puts a blank entry ” = rw” for a sub group, which you may want to remove.
Another thing is, what is the usag.e for the “Repository Path:” field, is it just a data point for administration purposes? I thought it would create permissions on that specific path for the group I was configuring. That would be nice if the field was to indicate per-directory level permissions.
-dc-
David,
Handling nested groups is something I would like to take care of, it is just a matter of finding the time. As for the permissions on the repository path, I hadn’t considered that. I assumed users were only accessing the repository through a Subversion client, but maybe I am missing some reason to do this. Can you fill me in on why this is needed?
Mike
Hi all!
As newly registered user i just wanted to say hi to everyone else who uses this board
Hi Mike,
One of the reason would be to give permission to a group of developpers to commit the code in the trunk but not allow them to create tags and branches.
Pat
Hello to all ! Greetings From Poland. very Good Page !