building a versioning document repository

8/7/2019 Building a Versioning Document Repository

http://slidepdf.com/reader/full/building-a-versioning-document-repository 1/32

Building a VersioningDocument RepositoryUsing Apache HTTP Server, OpenLDAP, and Subversion

By: Craig A. McElroy



Who Am I?

• Co-founder of Metissian & Contegix

• Contegix is a colocation and managed hostingcompany specializing in Linux and Mac OS X

located in downtown St. Louis, MO.

• Maintainer of Subversion OS X Packages at http://www.metissian.com

• Early adopter of the Subversion version control

system

• Been using it since pre 1.0 release for sourcecontrol, document versioning, etc.



Document Repository

• A document repository is any central storage locationfor documents.

•Various storage and access mechanisms

• NFS

• Samba

• Simple Web Application

• WebDAV



WebDAV

• What is WebDAV?

• Briefly: WebDAV stands for “Web-basedDistributed Authoring and Versioning”

• Set of extensions to the HTTP protocol whichallow remote collaborative authoring of webresources.

• Defined in RFC 2518

• Visit http://www.webdav.org/ for more information.



WebDAV Servers

• Apache HTTP Server

• mod_dav - Base WebDAV support module whichrequires another module to define the storage

implementation.

• mod_dav_fs - WebDAV module provided by Apachewhich uses underlying filesystem for storage.

• Other mod_dav implementations exist (as we’ll see

in a bit)



WebDAV Servers

• Jakarta Slide

• http://jakarta.apache.org/slide/index.html

•Zope

• http://www.zope.org/

• .Mac

• Apple’s .Mac service is WebDAV based.

• A number of other Open Source and Commercialservers.



WebDAV Clients

• Nautilus 2

• Official file manager/browser for GNOME.

•http://www.gnome.org/projects/nautilus

• Linux davfs2

• A filesystem module for the Linux kernel based onCoda (http://coda.cs.cmu.edu/)

• http://dav.sourceforge.net/• Cadaver Command Line Client

• http://www.webdav.org/cadaver/



WebDAV Clients

• Mac OS X

• Apple’s OS X has an integrated WebDAV client.

•Prior to 10.4 did not support https.

• Win32 WebFolders

• Windows 98, 2000, and XP have an integratedWebDAV client known as “WebFolders”

• Not as integrated as Apple’s implementation.• WebDrive Commercial Windows Client

• http://www.southrivertech.com/



DeltaV Extensions

• Despite the “V” in WebDAV, there is no versioningmodel included in the WebDAV RFC.

•Because RFC 2518 left out versioning concepts,

another capable group was left with the responsibilityof writing RFC 3253, which adds versioning toWebDAV.

• WebDAV/DeltaV clients and servers are often called

just “DeltaV” clients and servers, since DeltaV impliesthe existence of basic WebDAV.



DeltaV

• The coolest feature of the DeltaV extensions isAutoversioning.

•Allows basic WebDAV clients that are not aware of

versioning to create new versions by simply doing aPUT operation.

• The server will translate that to the series of operations that will generate a new version of the

existing file.• In the event of a needed file restore, a system

administrator could simply pull an old version.



LDAP

• What is LDAP?

• Lightweight Directory Access Protocol

•Designed at the University of Michigan to adapt acomplex enterprise directory system (called X.500)to the modern internet.

• De-facto standard for user information storage,searching, and authentication.

• Many implementations of LDAP Servers

• Tremendous client support



LDAP Servers

• OpenLDAP - http://www.openldap.org/

• Open Source LDAP Server

•Novell eDirectory

• Red Hat Directory Server (Formerly NetscapeDirectory Server)

• Microsoft Active Directory

• Supports the LDAP interface, but has some quirks• Apache DS - Pure Java LDAP Server

• http://directory.apache.org/subprojects/apacheds/



LDAP Clients

• Nearly all E-Mail clients support LDAP Databasesearches

•Apache Authentication Modules

• Apache 2.0: mod_auth_ldap

• http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html

• Apache 2.1: mod_authnz_ldap

• http://httpd.apache.org/docs-2.1/mod/mod_authnz_ldap.html



Subversion

• http://subversion.tigris.org/

• Subversion is a version control system with aWebDAV/DeltaV server implementation for Apache

• mod_dav_svn Apache Module

• Subversion was designed to be a replacement for CVSin the version control realm

•Provides many added benefits because of it’sWebDAV/DeltaV capabilities



DeltaV in Subversion

• Currently, not all features of DeltaV are implementedin Subversion, but most of the core ones are.

•RFC 3253 is still relatively new, and Subversion

developers intend to improve support in futurereleases.

• But, what about Autoversioning?!?!?



Autoversioning

• Does autoversioning really work in Subversion?

• Well, sort of.

•At this time, Subversion still lacks support for theWebDAV LOCK and UNLOCK methods, so editinga file in place is not supported.

• Can still copy the file to local filesystem, edit it, andcopy it back.

• Come on? Is this really the best we can do?



mod_dav_lock

• Apache 2.1 (still in beta) has introduced a newmod_dav_lock module.

• http://httpd.apache.org/docs-2.1/mod/mod_dav_lock.html

• Provides a generic locking API which can be used byany backend provider of mod_dav (mod_dav_svn inour case)

• Uses a file based lock database to provide the locking

mechanism that would otherwise be missing fromSubversion’s DeltaV support.

• Creates the “illusion” that the lock was accepted.



Why These?

• This exact configuration was implemented for a client late 2004.

• Why WebDAV?

• Needed to support multiple platforms.

• Needed to be able to securely access data.

• Why LDAP?

• Client also wanted to consolidate user accounts between a

dozen servers, miscellaneous web applications (including

Bugzilla), etc.• The Document repository need the same accounts.

• Why Subversion?

• Subversion was already being used for version control

system for source code.



Configuration & Demo

• OpenLDAP

• http://www.openldap.org/

•phpLDAPadmin

• http://phpldapadmin.sourceforge.net/

• Apache HTTP Server 2.1 (Beta)

• http://httpd.apache.org/

• Subversion 1.2 (RC)• http://subversion.tigris.org/



OpenLDAP

• Included with any modern Linux distribution

• RHEL v.4 comes with OpenLDAP 2.2

•Edit /etc/openldap/slapd.conf

• Define suffix,rootdn, and rootpw

• suffix “dc=contegix,dc=com”

• rootdn “cn=Manager,dc=contegix,dc=com”

• rootpw {SSHA}................................

• Encrypted rootpw value can be generated using

slappasswd



OpenLDAP

• Start OpenLDAP Server

• Do a simple test using:

•ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

• If this works, we are ready to begin populating theLDAP database.

• Option 1: Use .ldif files and ldapadd commands

•Option 2: Use a LDAP client utility

• phpLDAPadmin



phpLDAPadmin

• Install to a location where it is accessible from awebserver.

• Edit the config.php file

• Define the values for host,base, and auth_type

• $servers[$i][‘host’] = ‘localhost’;

• $servers[$i][‘base’] = ‘dc=contegix,dc=com’;

• $servers[$i][‘auth_type’] = ‘session’

• An auth_type of session will prompt for alogin upon accessing the application.



Setup LDAP Objects

Using phpLDAPadmin• Create the Organization with dcObject andorganization objectClass

• o = Contegix LLC

• Manager organizationalRole

• cn=Manager,dc=contegix,dc=com

• People organizationalUnit

• ou=people• Users, users, users

• Use simpleSecurityObject for our example



Apache HTTP 2.1

• As Apache 2.1 is still Beta, it is most likely not includedwith any Linux distribution.

• Download and build the latest source tarball.

• Important configure options

• --prefix=/opt/httpd/httpd-2.1.x

• --with-ldap

• --enable-mods-shared=all

• --enable-dav-lock

• --enable-ldap

• --enable-authnz-ldap



Apache HTTP 2.1

• Edit httpd.conf

• Specify User and Group

• User webdav• Group webdav

• Ensure that the ldap_module is loaded before

authnz_ldap_module in the LoadModule

directives (is not in the default configuration file)



Subversion 1.2

• While a relatively recent version of Subversion ships withmost Linux distributions, we will need to build against theApache just built.

• Download and build the latest source tarball.• Important configure options

• --prefix=/opt/subversion/subversion-1.2.x

• --with-ssl

•--with-zlib

• --with-apr=/opt/httpd/.../apr-1-config

• --with-apr-util=/opt/httpd/.../apu-1-config

• --with-apxs=/opt/httpd/.../apxs



Creating the

Repository• Setup repository and locks directories.

• mkdir /opt/subversion/repos• mkdir /opt/subversion/locks

• Create the repository with proper permissions.• svnadmin create /opt/subversion/repos/webdav

• chown -R webdav:webdav /opt/subversion/repos/

webdav



Putting It All Together

• Apache Configuration<Location />

DAV svn

SVNPath /opt/subversion/repos/webdav

SVNAutoversioning on

DavGenericLockDB /opt/subversion/locks/davlock

AuthBasicProvider ldap

AuthLDAPUrl ldap://localhost:389/ou=People,dc=contegix,dc=com

AuthzLDAPAuthoritative off

AuthType basic

AuthName "Contegix WebDAV"Require valid-user

</Location>

• Startup Apache



Other Concerns

• SSL

• For the sake of simplicity of our demonstration, wedid not enable HTTPS for the Apache WebDAV

server, or TLS for the OpenLDAP server.

• Client compatibility

• At this time, WebDAV support is still ratherinconsistent.

• Different clients have varying levels of support, andvarious quirks that should be considered that thistime.



Other Concerns

• Limiting Access by Groups

• Can also configure Apache to require that users bemembers of a given group in order to access

WebDAV share

• Controlled access by Directory

• Subversion’s mod_dav_svn can be configured torestrict read and/or read/write access by directory

within the WebDAV share.

• Unfortunately, this feature does not currentlysupport LDAP groups.



Future

• Directory level permissioning.

• Subversion developers intend to add support forhaving groups defined by external authentication

mechanisms.

• DeltaV locking support built into Subversion

• Better compatibility between various DeltaV clients.

•Currently a true DeltaV client may or may not

interoperate well with a mod_dav_svn server.



Q & A

building a versioning document repository

Documents