NDPF Subversion Repository

The NDPF subversion WebDAV and ssh+svn service is hosted on ndpfsvn.nikhef.nl:

https://ndpfsvn.nikhef.nl/repos/repository-name
svn+ssh://svn@ndpfsvn.nikhef.nl/repos/repository-name

where repository-name should be replaced with the real name, e.g. ndpf:

https://ndpfsvn.nikhef.nl/repos/ndpf

is a real and working repository (although with a rather strict access list). The user name for svn+ssh access is always (yes, always!) svn!

ndpfsvn.nikhef.nl is currently an alias for sikkel.nikhef.nl: the system runs an Apache SVN WebDAV instance hosted on a CentOS 5.1 x86_64 box.

IMPORTANT: you must set the following in your ~/.subversion/config file before using the SVN service:

[auth]
store-auth-creds = no

as otherwise your farm username/password will be stored in plain text on the file system!

User authentication and authorization

The user login is the same as the one used for unix login on the NDPF systems (i.e. it uses the very same LDAP directory for authentication). It's that easy.

In order to be successfully authorized to access the repository at all, the DN of this user must be listed in the LDAP group

cn=nDPFSubVersionUsers,ou=DirectoryGroups,dc=farmnet,dc=nikhef,dc=nl

If you are not there, you cannot get in, regardless of your login-capability on bosui &c.

of course, also the apache "/repos/" location uses compulsory SSL basic authentication, again using the username/password combination from the NDPF LDAP directory on hooimijt.

To use the svn+ssh service, you must register your ssh rsa/dsa key with the svn ssh service. The username will always be "svn", but your true identity will be determined based on the ssh key you use.

Creating a new repository

All repositories are located under

/project/srv/svn/repos/

and this is also the locations where the <Location /repos/repo-name> for the web server configuration are pointing to. Once you have added a new repository, you must update the web configuration as well in

/etc/httpd/conf.d/subversion.conf

replicate the stanza for the repository Location directive, and point the authZ file to the proper one within the repository (repo-name/conf/authz-db), and then give more than zero people read/write access to the (root of the) new repository. The usernames are derived automatically from the uid attribute of the LDAP directory on hooimijt.

System login and adding users

The host itself is a standard grid service box, meaning you need to login using ssh key authentication and forwarding as yourself (only davidg or ronalds can do that at the moment), and then use a further ssh root@localhost. For the console login password, see the usual safebox for the sealed envelope.

Note that you need the system root login in order to create new repositories, or to edit the access.conf file, or add new users to the svn+ssh service.

To add a new svn+ssh user to the system, get the ssh public key and add a line to the file /project/srv/svn/home/.ssh/authorized_keys like this:

command="svnserve -t -r /project/srv/svn --tunnel-user=davidg",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa XXXXXX comment

where the most important thing to get right is the tunnel-user name. This must match the uid in the LDAP directory for that user, or there will be a mismatch between WebDAV and svn+ssh.

CVS access

Note that there is still CVS access available as well on :ssh:username@ndpfcvs.nikhef.nl:/cvs/reponame. Authentication is with ssh only, and you must set

CVS_RSH=ssh
export CVS_RSH

before you'll be able to use it. Web browsing is available for a few repositories via:

https://beerput.nikhef.nl/cgi-bin/cvsweb.cgi

where you can authenticate with your grid certificate. Were you to use https://ndpfcvs.nikhef.nl/cgi-bin/cvsweb.cgi, it would complain about a certificate mismatch, as the certificate used to protect the site pre-dates the introduction of the generic name.