building a versioning document repositoryrepository.contegix.com/documents/presentations...model...
TRANSCRIPT
Building a Versioning Document Repository
Using Apache HTTP Server, OpenLDAP, and SubversionBy: Craig A. McElroy
Who Am I?
• Co-founder of Metissian & Contegix
• Contegix is a colocation and managed hosting company specializing in Linux and Mac OS X located in downtown St. Louis, MO.
• Maintainer of Subversion OS X Packages at http://www.metissian.com
• Early adopter of the Subversion version control system
• Been using it since pre 1.0 release for source control, document versioning, etc.
Document Repository • A document repository is any central storage location
for documents.
• Various storage and access mechanisms
• NFS
• Samba
• Simple Web Application
• WebDAV
WebDAV • What is WebDAV?
• Briefly: WebDAV stands for “Web-based Distributed Authoring and Versioning”
• Set of extensions to the HTTP protocol which allow remote collaborative authoring of web resources.
• Defined in RFC 2518
• Visit http://www.webdav.org/ for more information.
WebDAV Servers• Apache HTTP Server
• mod_dav - Base WebDAV support module which requires another module to define the storage implementation.
• mod_dav_fs - WebDAV module provided by Apache which uses underlying filesystem for storage.
• Other mod_dav implementations exist (as we’ll see in a bit)
WebDAV Servers• Jakarta Slide
• http://jakarta.apache.org/slide/index.html
• Zope
• http://www.zope.org/
• .Mac
• Apple’s .Mac service is WebDAV based.
• A number of other Open Source and Commercial servers.
WebDAV Clients• Nautilus 2
• Official file manager/browser for GNOME.
• http://www.gnome.org/projects/nautilus
• Linux davfs2
• A filesystem module for the Linux kernel based on Coda (http://coda.cs.cmu.edu/)
• http://dav.sourceforge.net/
• Cadaver Command Line Client
• http://www.webdav.org/cadaver/
WebDAV Clients• Mac OS X
• Apple’s OS X has an integrated WebDAV client.
• Prior to 10.4 did not support https.
• Win32 WebFolders
• Windows 98, 2000, and XP have an integrated WebDAV client known as “WebFolders”
• Not as integrated as Apple’s implementation.
• WebDrive Commercial Windows Client
• http://www.southrivertech.com/
DeltaV Extensions• Despite the “V” in WebDAV, there is no versioning
model included in the WebDAV RFC.
• Because RFC 2518 left out versioning concepts, another capable group was left with the responsibility of writing RFC 3253, which adds versioning to WebDAV.
• WebDAV/DeltaV clients and servers are often called just “DeltaV” clients and servers, since DeltaV implies the existence of basic WebDAV.
DeltaV• The coolest feature of the DeltaV extensions is
Autoversioning.
• Allows basic WebDAV clients that are not aware of versioning to create new versions by simply doing a PUT operation.
• The server will translate that to the series of operations that will generate a new version of the existing file.
• In the event of a needed file restore, a system administrator could simply pull an old version.
LDAP• What is LDAP?
• Lightweight Directory Access Protocol
• Designed at the University of Michigan to adapt a complex enterprise directory system (called X.500) to the modern internet.
• De-facto standard for user information storage, searching, and authentication.
• Many implementations of LDAP Servers
• Tremendous client support
LDAP Servers• OpenLDAP - http://www.openldap.org/
• Open Source LDAP Server
• Novell eDirectory
• Red Hat Directory Server (Formerly Netscape Directory Server)
• Microsoft Active Directory
• Supports the LDAP interface, but has some quirks
• Apache DS - Pure Java LDAP Server
• http://directory.apache.org/subprojects/apacheds/
LDAP Clients• Nearly all E-Mail clients support LDAP Database
searches
• Apache Authentication Modules
• Apache 2.0: mod_auth_ldap
• http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html
• Apache 2.1: mod_authnz_ldap
• http://httpd.apache.org/docs-2.1/mod/mod_authnz_ldap.html
Subversion• http://subversion.tigris.org/
• Subversion is a version control system with a WebDAV/DeltaV server implementation for Apache
• mod_dav_svn Apache Module
• Subversion was designed to be a replacement for CVS in the version control realm
• Provides many added benefits because of it’s WebDAV/DeltaV capabilities
DeltaV in Subversion• Currently, not all features of DeltaV are implemented
in Subversion, but most of the core ones are.
• RFC 3253 is still relatively new, and Subversion developers intend to improve support in future releases.
• But, what about Autoversioning?!?!?
Autoversioning• Does autoversioning really work in Subversion?
• Well, sort of.
• At this time, Subversion still lacks support for the WebDAV LOCK and UNLOCK methods, so editing a file in place is not supported.
• Can still copy the file to local filesystem, edit it, and copy it back.
• Come on? Is this really the best we can do?
mod_dav_lock• Apache 2.1 (still in beta) has introduced a new
mod_dav_lock module.
• http://httpd.apache.org/docs-2.1/mod/mod_dav_lock.html
• Provides a generic locking API which can be used by any backend provider of mod_dav (mod_dav_svn in our case)
• Uses a file based lock database to provide the locking mechanism that would otherwise be missing from Subversion’s DeltaV support.
• Creates the “illusion” that the lock was accepted.
Why These?• This exact configuration was implemented for a client late 2004.
• Why WebDAV?
• Needed to support multiple platforms.
• Needed to be able to securely access data.
• Why LDAP?
• Client also wanted to consolidate user accounts between a dozen servers, miscellaneous web applications (including Bugzilla), etc.
• The Document repository need the same accounts.
• Why Subversion?
• Subversion was already being used for version control system for source code.
Configuration & Demo• OpenLDAP
• http://www.openldap.org/
• phpLDAPadmin
• http://phpldapadmin.sourceforge.net/
• Apache HTTP Server 2.1 (Beta)
• http://httpd.apache.org/
• Subversion 1.2 (RC)
• http://subversion.tigris.org/
OpenLDAP• Included with any modern Linux distribution
• RHEL v.4 comes with OpenLDAP 2.2
• Edit /etc/openldap/slapd.conf
• Define suffix, rootdn, and rootpw• suffix “dc=contegix,dc=com”
• rootdn “cn=Manager,dc=contegix,dc=com”
• rootpw {SSHA}................................
• Encrypted rootpw value can be generated using slappasswd
OpenLDAP• Start OpenLDAP Server
• Do a simple test using:•ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
• If this works, we are ready to begin populating the LDAP database.
• Option 1: Use .ldif files and ldapadd commands
• Option 2: Use a LDAP client utility
• phpLDAPadmin
phpLDAPadmin• Install to a location where it is accessible from a
webserver.
• Edit the config.php file
• Define the values for host, base, and auth_type• $servers[$i][‘host’] = ‘localhost’;
• $servers[$i][‘base’] = ‘dc=contegix,dc=com’;
• $servers[$i][‘auth_type’] = ‘session’
• An auth_type of session will prompt for a login upon accessing the application.
Setup LDAP Objects Using phpLDAPadmin• Create the Organization with dcObject and
organization objectClass
• o = Contegix LLC
• Manager organizationalRole
• cn=Manager,dc=contegix,dc=com
• People organizationalUnit
• ou=people
• Users, users, users
• Use simpleSecurityObject for our example
Apache HTTP 2.1• As Apache 2.1 is still Beta, it is most likely not included
with any Linux distribution.
• Download and build the latest source tarball.
• Important configure options• --prefix=/opt/httpd/httpd-2.1.x
• --with-ldap
• --enable-mods-shared=all
• --enable-dav-lock
• --enable-ldap
• --enable-authnz-ldap
Apache HTTP 2.1• Edit httpd.conf
• Specify User and Group
• User webdav
• Group webdav
• Ensure that the ldap_module is loaded before authnz_ldap_module in the LoadModule directives (is not in the default configuration file)
Subversion 1.2• While a relatively recent version of Subversion ships with
most Linux distributions, we will need to build against the Apache just built.
• Download and build the latest source tarball.
• Important configure options• --prefix=/opt/subversion/subversion-1.2.x
• --with-ssl
• --with-zlib
• --with-apr=/opt/httpd/.../apr-1-config
• --with-apr-util=/opt/httpd/.../apu-1-config
• --with-apxs=/opt/httpd/.../apxs
Creating the Repository
• Setup repository and locks directories.• mkdir /opt/subversion/repos
• mkdir /opt/subversion/locks
• Create the repository with proper permissions.• svnadmin create /opt/subversion/repos/webdav
• chown -R webdav:webdav /opt/subversion/repos/webdav
Putting It All Together• Apache Configuration
<Location /> DAV svn SVNPath /opt/subversion/repos/webdav SVNAutoversioning on DavGenericLockDB /opt/subversion/locks/davlock
AuthBasicProvider ldap
AuthLDAPUrl ldap://localhost:389/ou=People,dc=contegix,dc=com AuthzLDAPAuthoritative off
AuthType basic AuthName "Contegix WebDAV" Require valid-user</Location>
• Startup Apache
Other Concerns• SSL
• For the sake of simplicity of our demonstration, we did not enable HTTPS for the Apache WebDAV server, or TLS for the OpenLDAP server.
• Client compatibility
• At this time, WebDAV support is still rather inconsistent.
• Different clients have varying levels of support, and various quirks that should be considered that this time.
Other Concerns• Limiting Access by Groups
• Can also configure Apache to require that users be members of a given group in order to access WebDAV share
• Controlled access by Directory
• Subversion’s mod_dav_svn can be configured to restrict read and/or read/write access by directory within the WebDAV share.
• Unfortunately, this feature does not currently support LDAP groups.
Future• Directory level permissioning.
• Subversion developers intend to add support for having groups defined by external authentication mechanisms.
• DeltaV locking support built into Subversion
• Better compatibility between various DeltaV clients.
• Currently a true DeltaV client may or may not interoperate well with a mod_dav_svn server.
Q & A