This isn't terrible earth shaking but since I had to futz with this a little, I thought I would write it down.
Goal: We moved to a new subversion server, and while we were at it, wanted to stop using joke passwords in a file called passwd, start using our windows credentials, and also install trac, on a windows 2003 x64 server.
Ingredients:
First, we installed subversion and restored a backup of our repository...and waited...and waited.
The next day, we installed apache. We set apache to run on port 8080 and verified that it worked (http://localhost:8080) We then copied mod_authz_svn.so, mod_dav_svn.so, libdb44.dll, and mod_auth_sspi.so to the apache modules folder. We enabled these things:
LoadModule asis_module modules/mod_asis.so
LoadModule sspi_auth_module modules/mod_auth_sspi.so
LoadModule auth_basic_module modules/mod_auth_basic.so
and at the end of the LoadModules section:
#LoadModule ssl_module dav_module modules/mod_ssldav.so
LoadModule status_module dav_svn_module modules/mod_statusdav_svn.so
#LoadModule substitute_module authz_svn_module modules/mod_substitutemod_authz_svn.so
finally, at the bottom of the file, we added
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
<Location /svn>
DAV svn
SVNPath E:\svn
</Location>
We verified that this worked then added the authorization bits to <Location /svn>:
AuthName "svn"
AuthzSVNAccessFile E:\svn\conf\authz
AuthType SSPI
SSPIAuth On
SSPIAuthoritative Off
SSPIDomain our.domain.name.com
SSPIOfferBasic On
SSPIOmitDomain On
SSPIUsernameCase lower
AuthType Basic
AuthUserFile E:\svn\conf\http-passwd
AuthBasicAuthoritative Off
Require valid-user
We needed both sspi authentication (for normal people) and basic (for our build user, a service running on another machine as local system. Side Note: I thought I'd be able to grant DOMAIN\MachineName$ read access and use mod_sspi to authenticate them, but couldn't get this to work - apparently the subversion client needs someone to actually type in the password of the account you are authenticating.)
Note that to use both forms of authentication, they have to be *Authoritative Off. The subversionary document I link to below has the setting name for AuthBasicAuthoritative as AuthAuthoritative. When in doubt, you can look up the correct settings at apache.org.
Note that mod_sspi has some nice options - SSPIOmitDomain and SSPIUsernameCase - to help keep us from running into problems when users type in different case versions of their logins or domains. Using these values, they just always use their lowercase user name.
Subversion will still use %REPOSITORYROOT%/conf/authz for determining what resources different users are allowed access to and the level of access. We defined some groups for our different scrum teams (using their lower case logins), then mapped those to different parts of the repository.
We verified this works, then got our builds working again off this new repository. Pretty uneventful. Mental Note: Remember to copy over old builds and ccserver state files when switching to new working copy on the build server, so you don't start over on version 1.0.0.0 with no history.
Next, it was time to install Trac. I didn't set up Python on the subversion server myself - Jeff Olson did, but I think it was pretty uneventful. Python 2.5. mod_python. There is some subversion stuff, which I think you need to install separately, but I think the trac documentation describes how to do this.
I had to grab the latest trac from their subversion repository. There is a utility (easy_install) to do this, but I saw svn co and I was there. Ran through the normal trac install steps. Didn't realize at first that trac wanted the path to the _physical_svn_ repository files. Eventually figured this out...but I didn't want one big trac site for the whole repository. No problem: you can append the path inside the repo. So, given svn repo physically at E:\svn, and I want trac to be looking at /trunk/MyProject, I just specify E:\svn\trunk\MyProject.
I tested my trac project with the stand-alone tracd. Worked.
Next I wanted it running under mod_python, to hopefully improve performance, and also using mod_sspi, to keep me out of the business of maintaing more passwd files. I added:
LoadModule unique_id_module python_module modules/mod_unique_idmod_python.so
To the modules section, then:
<Location /MyProjectName>
SetHandler mod_python
PythonDebug on
PythonInterpreter main_interpreter
PythonHandler trac.web.modpython_frontend
PythonOption TracEnv E:\trac\MyProjectName
PythonOption TracUriRoot /MyProjectName
AuthName "My Trac Project"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain our.domain.name.com
SSPIOfferBasic On
SSPIOmitDomain On
SSPIUsernameCase lower
Require valid-user
</Location>
To the bottom of the file, copying my mod_sspi settings from subversion above. I tested this out, and ran into a version conflict between the APR (apache runtime) libraries used by python's libsvn and the APR apache was using. I futzed around for a while trying to get this to work and just ended up installing the 2.2 APR -> Subversion 1.4.6 python bindings again and it worked. I guess I had installed APR 2.0 at some point and just forgotten.
Now all I have to do is decide whose and admin and setup other projects.
References: