Websvn with Bugzilla and LDAP authentication

Introduction

My goal is to have a system capable of using one authentication database and point from bugzilla point revisions to their corresponding tree in svn. One of my colleges wrote an extension which I found very usefull and decided to use.

System

The target system is a private cloud running with kvm and debian for training purposes. All functionality is moved to different virtual machines to keep tasks seperated.

LDAP

I used openldap but any other ldap is good.
Installation can be done with any how to (mine is done with preseed).
One important part is to have a proxyuser with only read rights on ldap tree. The password is stored in clear text so its a good point to have it with least privileages.

access to attrs=userpassword
by anonymous auth
by self write
by * none
access to *
by self read
by users read
by anonymous auth

Bugzilla

The distribution package can be used for this purpose, but i prefer to go with source and install myself. Documentation should be used from vendors page: http://www.bugzilla.org/docs/4.2/en/html/ , since there are alot of misleading setups.
It is practical to put bugzilla into a seperate virtual host

ServerAdmin me@mydomain.yes
 ServerName bugzilla.mydomain.yes
 DocumentRoot /var/www/bugzilla
 AddHandler cgi-script .cgi
 Options +Indexes +ExecCGI
 DirectoryIndex index.cgi
 AllowOverride Limit FileInfo Indexes
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined

Also under Adminisration-> Parameters->User Authentication don’t forget to change user_verify_class and add LDAP based authentication. Then under LDAP server type your fqdn ldap server, LDAPbinddn should be your Proxyuser followed by a colum and your password ( cn=default,cn=user:password ) also check user LDAPuidattribute to what you want to authenticate against. If you wish to set it to your cn, or any other specific attribute, you can do it here. If you want to authenticate with email address please have a look at LDAPmailattribute.
If incorrect LDAPmailattribute is specified bugzilla will give an appropiate error message stating that email attribute is not correct.

SVN- integration

A college of mine wrote an excelent module: http://sourceforge.net/projects/websvnzilla/ all credits with the extensions goes to him. Installation is straight forward and easy. Just download the extensions, go to bugzilla root folder (/var/www/bugzilla) and

patch -p1 

Now navigate to Administration- Parameters-WebSVN Settings and two parameters need to be configured.
websvnpath : http://svn.mydomain.yes/
websvnrepo:  projects
These will be used when creating the svn.
Now bugzilla is ready for ldap authentication and for svn links.

SVN

SVN is preseeded on all my machines since the checkouts are needed for my infrastructure scripts aswell. Only websvn is needed additionally. Same as bugzilla, either install distro package or download it from source.
First lets add the virtualhost for the websvn.

ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
 ServerAdmin me@mydomain.yes
 ServerName svn.mydomain.yes
 DocumentRoot /usr/share/websvn
 ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
 <Directory "/usr/lib/cgi-bin">
 AllowOverride None
 Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
 Order allow,deny
 Allow from all
 Options FollowSymLinks
 order allow,deny
 allow from all
 AuthBasicProvider ldap
 AuthType Basic
 AuthzLDAPAuthoritative on
 AuthName "Subversion Repository Web Browsing"
 AuthLDAPURL "ldap://ldap.mydomain.yes/ou=People,dc=anything?userid?sub?(objectClass=*)" NONE
 AuthLDAPBindDN "cn=proxyuser,ou=People,dc=anything"
 AuthLDAPBindPassword VerySecret
 Require valid-user
 php_flag magic_quotes_gpc Off
 php_flag track_vars On

This will also make sure that the svn is authenticated from ldap when viewing web repositary. Since svn commits are done with svn+ssh we need to configure pam_ldap to authenticate from ldap.

Pam_ldap

there are alot of writings on how to set up a system for it. Basically neccasary packages need to be installed and 4 files need to be edited: pam_ldap.conf, nsswitch.conf, libnss-ldap.conf,common-session
If i will have time I will write a small how to on how to do such configuration.

Conclusion

We have a version tarcking system with our personal ldap backend, for later notes we can think on including mediawiki for documentation, or even adding some project management software to keep track of milestones.
Sidenote: Redmine has possibility to do all these features in one, I was just playing around to get familiar with different tools.

Author: S4mur4i

Happy in the unhappy world.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s