I have the SVN server running under Apache over HTTPS
Heres my server-side config, "/etc/httpd/conf.d/subversion.conf":
<Location />
SSLRequireSSL
SSLCACertificatePath /etc/pki/CA
SSLCACertificateFile /etc/pki/CA/cacert.pem
SSLVerifyClient optional
SSLUserName SSL_CLIENT_S_DN_CN
SetOutputFilter DEFLATE
Satisfy Any
AuthBasicProvider file ldap
AuthzLDAPAuthoritative off
AuthType Basic
AuthName "SVN users enter password"
AuthLDAPURL ldap://ldap.exmaple.com:389/ou=employees,ou=people,o=example.com
AuthGroupFile /var/www/auth/group
AuthUserFile /var/www/auth/passwd
Require valid-user
</Location>
This config accepts the PKCS12 certificate auth while checkout over HTTPS.
And accepts LDAP authentication while checkout over HTTP.
My issue now is how do i make Apache accept LDAP authentication if no client certificate(PKCS12) is provided while checkout over HTTPS?
Instead of configuring SSL certs for Location /.
I configured SSL certs auth for Location /cert subfolder.
Location / is configured with LDAP.
My subversion.conf now looks like:
<Location />
AuthBasicProvider file ldap
AuthzLDAPAuthoritative off
AuthType Basic
AuthName "SVN users enter password"
AuthLDAPURL ldap://ldap.example.com:389/ou=employees,ou=people,o=example.com
AuthGroupFile /var/www/auth/group
AuthUserFile /var/www/auth/passwd
Require valid-user
</Location>
<Location /svn>
AuthBasicProvider file ldap
AuthzLDAPAuthoritative off
AuthType Basic
AuthName "SVN users enter password"
AuthLDAPURL ldap://ldap.example.com:389/ou=employees,ou=people,o=example.com
AuthGroupFile /var/www/auth/group
AuthUserFile /var/www/auth/passwd
Require valid-user
</Location>
<Location /cert>
DAV svn
SVNParentPath /var/www/html/svn/repos
AuthzSVNAccessfile /var/www/html/svn/authz
SSLRequireSSL
SSLCACertificatePath /etc/httpd/conf/keys/
SSLCACertificateFile /etc/httpd/conf/keys/stacked-pem.cer
SSLVerifyClient optional_no_ca
SSLUserName SSL_CLIENT_S_DN_CN
SetOutputFilter DEFLATE
Satisfy Any
</Location>
Now the failover to LDAP is happening :)
The key is Satisfy any