NDPFSubVersion
Browsing
To browse the repository using the web, go to
https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/
and like URLs for each public repository. The NDPF system configuration repository is not browsable.
NDPF Subversion Repository
The NDPF subversion WebDAV and ssh+svn service is hosted on ndpfsvn.nikhef.nl:
https://ndpfsvn.nikhef.nl/repos/repository-name svn+ssh://svn@ndpfsvn.nikhef.nl/repos/repository-name
where repository-name should be replaced with the real name, e.g. ndpf:
https://ndpfsvn.nikhef.nl/repos/ndpf
is a real and working repository (although with a rather strict access list). The user name for svn+ssh access is always (yes, always!) svn!
ndpfsvn.nikhef.nl is currently an alias for sikkel.nikhef.nl: the system runs an Apache SVN WebDAV instance hosted on a CentOS 5.1 x86_64 box.
IMPORTANT: you must set the following in your ~/.subversion/config file before using the SVN service:
[auth] store-auth-creds = no
as otherwise your farm username/password will be stored in plain text on the file system!
User authentication and authorization
The user login is the same as the one used for unix login on the NDPF systems (i.e. it uses the very same LDAP directory for authentication). It's that easy.
In order to be successfully authorized to access the repository at all, the DN of this user must be listed in the LDAP group
cn=nDPFSubVersionUsers,ou=DirectoryGroups,dc=farmnet,dc=nikhef,dc=nl
If you are not there, you cannot get in, regardless of your login-capability on bosui &c.
of course, also the apache "/repos/" location uses compulsory SSL basic authentication, again using the username/password combination from the NDPF LDAP directory on hooimijt.
To use the svn+ssh service, you must register your ssh rsa/dsa key with the svn ssh service. The username will always be "svn", but your true identity will be determined based on the ssh key you use.
Creating a new repository
All repositories are located under
/project/srv/svn/repos/
and this is also the locations where the <Location /repos/repo-name> for the web server configuration are pointing to. Once you have added a new repository using
cd /project/srv/svn/repos/ svnadmin create repo-name chown -R apache:apache repo-name
you must also update the web configuration as well in
/etc/httpd/conf.d/subversion.conf
to replicate the stanza for the repository Location directive, and point the authZ file to the proper one within the repository (repo-name/conf/authz), and then give more than zero people read/write access to the (root of the) new repository. The usernames are derived automatically from the uid attribute of the LDAP directory on hooimijt.
System login and adding users
The host itself is a standard grid service box, meaning you need to login using ssh key authentication and forwarding as yourself (only davidg or ronalds can do that at the moment), and then use a further ssh root@localhost. For the console login password, see the usual safebox for the sealed envelope.
Note that you need the system root login in order to create new repositories, or to edit the access.conf file, or add new users to the svn+ssh service.
To add a new svn+ssh user to the system, get the ssh public key and add a line to the file /project/srv/svn/home/.ssh/authorized_keys like this:
command="svnserve -t -r /project/srv/svn --tunnel-user=davidg",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa XXXXXX comment
where the most important thing to get right is the tunnel-user name. This must match the uid in the LDAP directory for that user, or there will be a mismatch between WebDAV and svn+ssh.
CVS access
Note that there is still CVS access available as well on :ssh:username@ndpfcvs.nikhef.nl:/cvs/reponame. Authentication is with ssh only, and you must set
CVS_RSH=ssh export CVS_RSH
before you'll be able to use it. Web browsing is available for a few repositories via:
https://beerput.nikhef.nl/cgi-bin/cvsweb.cgi
where you can authenticate with your grid certificate. Were you to use https://ndpfcvs.nikhef.nl/cgi-bin/cvsweb.cgi, it would complain about a certificate mismatch, as the certificate used to protect the site pre-dates the introduction of the generic name.
