Only working for ParentPath?

[hieroglyph]

Hello,

I have several repository groups on my (windows 2k3) server, each
served using a separate <Location> directive (all using SVNParentPath
to different "roots") and using "svnindex.xsl" from TortoiseSVN.

To try ReposStyle, I unpacked to my doc root as required, then changed
the SVNIndexXSLT for one <Location> (and I did restart apache too).
When I navigate to the root (parent path), I get ReposStyle but as
soon as I click into any of the repositories I revert to the tortoise
svnindex display...

Can anyone help me understand why this is happening & fix it?

~ many thanks ~ hieroglyph

[David Gee]

Could you post your apache config to assist with debugging please?

--
You received this message because you are subscribed to the Google Groups "ReposStyle" group.
To post to this group, send email to repos...@googlegroups.com.
To unsubscribe from this group, send email to reposstyle+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/reposstyle?hl=en.

[hieroglyph]

Hello David,

> > On Thu, Mar 4, 2010 at 8:52 AM, hieroglyph
> > <py.hie...@googlemail.com> wrote:
> >
> > Hello,
> >
> > I have several repository groups on my (windows 2k3) server, each
> > served using a separate <Location> directive (all using SVNParentPath
> > to different "roots") and using "svnindex.xsl" from TortoiseSVN.
> >
> > To try ReposStyle, I unpacked to my doc root as required, then changed
> > the SVNIndexXSLT for one <Location> (and I did restart apache too).
> > When I navigate to the root (parent path), I get ReposStyle but as
> > soon as I click into any of the repositories I revert to the tortoise
> > svnindex display...
> >
> > Can anyone help me understand why this is happening & fix it?
> >
> > ~ many thanks ~ hieroglyph
>

> On Behalf Of David Gee

>
> Could you post your apache config to assist with debugging please?
>

Yes, sorry. I do not have access again until Monday but it is approx 4 lots
of:

<Location /svn/dept1>
DAV svn
SVNListParentPath on
SVNParentPath d:\svn\dept1
SVNIndexXSLT "/repos-web/view/repos.xsl"
AuthzSVNAccessFile <svnaccessfile>
Require valid-user
</Location>

...pretty much standard config with a different value for dept1 each time.
The whole are in an https:// virtual host and the parent is set to map all
http: requests to https. I don't think there is anything special which is
why I did not think to post it before. What else can I tell you that might
help?

And it does work, but only for the parent path...

I think there must be some caching issues on the network as I tried earlier
today by specifying reposstyle for all four parentpaths and moving the
tortoise xsl out of the apache-accessible doc tree (as specified by
documentroot), then restarting apache (on the server) and my client browser
(on my desktop). And I still get reposstyle for the parentpath and then the
tortoise version "below" that. Weird.

I'll check Monday if the setup is different from the above.

Many thanks,

~ hieroglyph

[David Gee]

Hmm. Well my setup is almost the same as yours (Apache 2.2 on Win 2k3) only without the https. I do have a couple of caching-related headers set (see my config, below). I dont have SVNListParentPath enabled, but that shouldn't make any difference. I also have the SVN and DAV options specified just once at the top-level <Location> and then just use the sub <Location> entries to control who gets access to each repository, but again, that shouldn't make any difference. What version of Subversion and Apache are you running?

 <Location /repos>

    DAV svn

    SVNParentPath "C:/Subversion/repos"

    SVNPathAuthz off

    AuthType Basic

    AuthBasicProvider ldap

    AuthLDAPBindDN <user>

    AuthLDAPBindPassword <password>

    AuthLDAPURL ldap://<ldapurl>?sAMAccountName?sub?(objectClass=*)

    AuthzLDAPAuthoritative off

    AuthName "Subversion Server"

    AuthLDAPGroupAttributeIsDN on

    

    Header set Cache-Control no-cache

    Header merge Cache-Control no-store

  </Location>

  

  <Location /repos/repo1>

    SVNIndexXSLT "/repos-web/view/repos.xsl"

    <Limit OPTIONS PROPFIND GET REPORT>

      Require ldap-group abc

    </Limit>

    <LimitExcept OPTIONS PROPFIND GET REPORT>

      Require ldap-group def

    </LimitExcept>

  </Location>

Many thanks,

~ hieroglyph

[hieroglyph]

Hi David,

thanks for your help so far (see in-line)...

> > > > I have several repository groups on my (windows 2k3) server, each
> > > > served using a separate <Location> directive (all using SVNParentPath
> > > > to different "roots") and using "svnindex.xsl" from TortoiseSVN.
>
> > > > To try ReposStyle, I unpacked to my doc root as required, then changed
> > > > the SVNIndexXSLT for one <Location> (and I did restart apache too).
> > > > When I navigate to the root (parent path), I get ReposStyle but as
> > > > soon as I click into any of the repositories I revert to the tortoise
> > > > svnindex display...
>

> > > On Behalf Of David Gee
>
> > > Could you post your apache config to assist with debugging please?
>

> > ...pretty much standard config with a different value for dept1 each time.
> > The whole are in an https:// virtual host and the parent is set to map all
> > http: requests to https. I don't think there is anything special which is
> > why I did not think to post it before. What else can I tell you that might
> > help?
>
> > And it does work, but only for the parent path...
>
> > I think there must be some caching issues on the network as I tried earlier
> > today by specifying reposstyle for all four parentpaths and moving the
> > tortoise xsl out of the apache-accessible doc tree (as specified by
> > documentroot), then restarting apache (on the server) and my client browser
> > (on my desktop). And I still get reposstyle for the parentpath and then
> > the tortoise version "below" that. Weird.
>
> > I'll check Monday if the setup is different from the above.
>

I now have access to my config files again and can tell you I have the
following:

1) a top-level location to enforce authentication against active
directory:

<Location />
Order allow,deny
Allow from all
Require valid-user

AuthType SSPI
AuthName "Applications server"
SSPIAuth On
SSPIAuthoritative On
SSPIDomain a_domain
SSPIOmitDomain On
SSPIOfferSSPI Off
SSPIOfferBasic On
SSPIBasicPreferred On
</Location>

2) separate locations for each repository parent directory:

<Location /svn/department_a/>
DAV svn
#SVNIndexXSLT "/subversion/svnindex.xsl"
SVNIndexXSLT "/repos-web/view/repos.xsl"
SVNParentPath D:/svn/department_a/
SVNListParentPath On
AuthzSVNAccessFile path_to_svn-users.txt
</Location>
...repeat for department_b..department_d (currently 4 groups). I did
try to do a LocationMatch but it does not seem allow to re-use the
"department_n" string matches from the match regex into e.g. the
enclosed SVNParentPath directive (then I could condense the 4 sections
into one and auto handle future department additions.

All of the repository-parent directores display the list of projects
OK. Trying to click into a repository usually (but not always) gives
errors, most often (IE8 client):

<!--- start quote
The XML page cannot be displayed
Cannot view XML input using XSL style sheet. Please correct the error
and then click the Refresh button, or try again later.

--------------------------------------------------------------------------------

The stylesheet does not contain a document element. The stylesheet may
be empty, or it may not be a well-formed XML documen...
<!--- end quote

(off-topic but...) I did try to get LDAP working against our AD forest
but fell over when even my local IT folks could not tell me what
arcane cantation represented my own login ID to query the tree... Can
you point me to a good LDAP primer and a way to find out what my own
user ID is in "LDAP"?

Many Thanks

[Staffan]

To troubleshoot caching my advice is to use a tool like curl to check
response headers (run "curl -I [url]"), or LiveHTTPHeaders addon in
Firefox. Then you can see if the headers of /repos-web/view/repos.xsl
are sent as you expect. "Cache-Control no-cache" should be safe but
might cause flickering when browsing since the stylesheet needs to be
refreshed all the time.

Regarding AD integration: in my experience there's always a bit of
trial and error before it works. Search the net for different
solutions and try until it works. This is because AD config differs
between IT departments. Subversion configuration does not affect AD
integration in Apache, so you may also find answers in the Apache
httpd users mailing list.

/Staffan

[David Gee]

Regarding LDAP integration with AD, sure. As far as I can tell, there are two ways to authenticate against AD LDAP: user.name@domain.name.com, or the fully qualified LDAP distinguished name (DN) i.e. CN=Full Name,OU=My Company,DC=domain,DC=name,DC=com), which is a right mouthful. That's the format a "proper" LDAP server would normally expect you to log in with, it seems Microsoft have taken the liberty of allowing user.name@domain.name.com too.

To simplify things for users, I use a service account I created in AD with AuthLDAPBindDN (e.g. subvers...@domain.name.com) and AUthLDAPBindPassword. When a user authenticates, it connects using this username and password to search for the user and retrieve the user's DN - that way the user can just authenticate with their base username (user.name) without having to bother with the @domain.name.com (and there's no way you'd get users to authenticate with a DN!).

Then once it has the DN, it does a second bind to LDAP using the user's DN and password to (a) authenticate the user, and (b) check any other stuff you have specified, like Require ldap-group. Unfortunately for that, there's no getting round using the DN, so you have to go look it up using an LDAP browsing tool.

If you only have one domain in your AD forest, you're fine doing a regular LDAP bind (against port 389). If you have more than one domain in your forest, you will need to bind against the AD global catalog instead, which is basically a distributed database of everything in the forest, with only certain attributes recorded. There's more on GCs here: http://technet.microsoft.com/en-us/library/cc728188(WS.10).aspx. The global catalog listens to LDAP on port 3268, that's what I use and it's been working fine.

Hope that helps. Let me know if you have any more questions and I'll do my best to answer them.

Regards,

David

--

[David Gee]

I think I might have just spotted your other problem too. It looks like you are using SVNParentPath to point to a specific repository (please correct me if I'm wrong, that's just what it looks like from the path names you've given below). Assuming that D:\svn\department_a is a single repository, you actually want to use SVNPath.

On Mon, Mar 8, 2010 at 3:34 AM, hieroglyph <py.hie...@googlemail.com> wrote:

--

[hieroglyph]

Hi David /Staffan

> I think I might have just spotted your other problem too. It
> looks like you are using SVNParentPath to point to a specific
> repository (please correct me if I'm wrong, that's just what
> it looks like from the path names you've given below).
> Assuming that D:\svn\department_a is a single repository, you
> actually want to use SVNPath.
>

Each department has a collection of repositories and as virtually no-
one works outside their department's projects we decided to avoid
clutter and not show unrelated projects. So those are parent paths.

The config works OK with the (much simpler) TortoiseSVN svnindex xsl/
css sheets so I do not understand what's going on.

> To troubleshoot caching my advice is to use a tool like curl
> to check response headers (run "curl -I [url]"), or
> LiveHTTPHeaders addon in Firefox. Then you can see if the
> headers of /repos-web/view/repos.xsl are sent as you expect.
> "Cache-Control no-cache" should be safe but might cause
> flickering when browsing since the stylesheet needs to be
> refreshed all the time.

Unfortunately I am required to run IE6 (actually a pre-release of IE8
but don't tell anyone) so FireFox is not possible. I will check out
curl but that looks suspiciously *nix and I'm not allowed to install
cygwin either *sigh*.

I just tested by creating a new <Location> and copying a few smaller
repos in there and specifying ReposStyle and it is working fine. I
think it must be a cacheing issue, I might just swap over and wait to
see if it sorts itself out (thankfully only a few users so far!)

I appreciate your comments on AD too, many thanks. We are part of a
multi-domain forest so the global catalog info is useful, thanks, and
the username stuff too. At the moment SSPI is working for the windoze
server but is limited and crrently without any ongoing development/
support (I cannot even find a good resource for the various options

Apologies if this all turns out to be network cacheing...

~ hieroglyph

[Staffan]

On Tue, Mar 9, 2010 at 9:30 AM, hieroglyph <py.hie...@googlemail.com> wrote:
...

>
>> To troubleshoot caching my advice is to use a tool like curl
>> to check response headers (run "curl -I [url]"), or
>> LiveHTTPHeaders addon in Firefox. Then you can see if the
>> headers of /repos-web/view/repos.xsl are sent as you expect.
>> "Cache-Control no-cache" should be safe but might cause
>> flickering when browsing since the stylesheet needs to be
>> refreshed all the time.
>
> Unfortunately I am required to run IE6 (actually a pre-release of IE8
> but don't tell anyone) so FireFox is not possible.  I will check out
> curl but that looks suspiciously *nix and I'm not allowed to install
> cygwin either *sigh*.
>

Just download the win32 binaries
(http://curl.haxx.se/download/curl-7.19.5-win32-ssl.zip), extract
curl.exe to a folder and run command line from there.

/Staffan