I have an Ubuntu server 11.04 on ec2 (I'm mentioning this, as it appears things have changed in this version from previous ubuntu releases, when it regards LDAP configuration).

I want to configure it as a subversion server with trac, for private repositories (i.e. a user must have a username:password and privileges to view or commit to svn, and to view or make changes in trac).

Since I wanted to make sure it is secure, I first chose an option of svn+ssh, meaning I have to create a linux user for each person that needs access to svn. But I couldn't find a way to use the same users for trac - meaning I will have to create manually a user in trac for each user I create in the linux machine, and this could lead to different password between svn and trac - in short: a mess.

So I decided to go and implement an openldap server, which will give the option to use ldap users for other features in the future.

The only guide I found which worked in configuring the openldap part, was this one ("The Guide").

However, when I got to the kerberos part - I got some questions I didn't know how to answer them, and then I got errors, so no kerberos.

Some notes:

  • The server will eventually be something like svn.myserver.com. However, there's no dns record for it yet.

  • Taking the previous note in consideration, I used the svn.myserver.com name when configuring openldap as said in the guide above (I did not do the first two parts of the guide, so I had to run the sudo dpkg-reconfigure slapd command to reconfigure, and used dc=svn,dc=myserver,dc=com everywhere instead of dc=danbishop,dc=org or svn.myserver.com instead of danbishop.org).

  • In the kerberos part of the guide, when running the sudo apt-get install krb5-kdc krb5-admin-server command, I was asked the following:

    • The realm - I wrote SVN.MYSERVER.COM
    • Something about servers - I wrote localhost
    • Something about administrator server - I wrote localhost

    When the questions were over, and it continued to configure kerberos, there were some File or directory not found errors, and a an error has occured, see log kind of message. However, I did not find any log file.

There might be a better way to do it, and there might be another solution to get what I want (unified user management for both svn, trac and such other future apps), but since the svn and bug tracking features are suppose to survive a long time, and not pose any difficulties, it is important for me to choose the right solution, and configure it the right way (There is more than one right way, I'm sure, but I don't want to choose a lousy way).

I would really appreciate help with this, as I've been messing around with this for a few days now, feeling like I'm wasting time.

  • 543
  • 1
  • 6
  • 14
  • So do you have some Kerberos and LDAP configs, without sensitive data of course, that you could show us. Again, as someone said, DNS is important, but also we need to know how your config looks to spot issues, yeah? – songei2f May 04 '11 at 12:06

2 Answers2


One hint for Kerberos: You have to get your DNS right before you configure Kerberos or you can run into all sorts of trouble. So, create the relevant DNS entries first and don't continue before this is done.

That said, I don't really think that Kerberos is necessary in your case. It's still a notoriously complicated thing to get working right and I don't think the result will be worth the trouble. Primarily, it's useful for providing a single-sign-on solution, so if you get it right, you log into your (system) user account and 'magically' all kerberized services will work without a login.

So, if you configure your system to authenticate against LDAP via PAM and do the same for Trac, you should be fine.

  • 97,248
  • 13
  • 177
  • 225
  • Thanks. I saw that there's a way to use trac with PAM, but I didn't see (in a first glance) a way to use subversion with it. Is it possible ? Plus, do you know of a guide on how to configure ldap with pam ? – Doron May 03 '11 at 16:14
  • I haven't done it with Ubuntu recently, but if I remember correctly, PAM should be configured automatically to use LDAP after you install the relevant packages (`sudo apt-get install libnss-ldapd libpam-ldapd`). Just follow Part 3 and 6 of the tutorial you listed and skip Part 4 and 5. When this is done, SSH is automatically working with LDAP as well, so SVN/SSH auth should also work. – Sven May 03 '11 at 19:21
  • For Trac, I would prefer to try the LDAP plugin described at http://trac-hacks.org/wiki/LdapPlugin before I configure Apache to authenticate against PAM, but if you search for Apache and PAM, you will likely find a lot of guides how to set it up if the plugin doesn't work as expected. – Sven May 03 '11 at 19:22
  • @Doron This is Fedora specific, but [this](http://directory.fedoraproject.org/wiki/Howto:PAM#PAM_Configuration_for_LDAP_Client_Systems) should give you an idea of what you need to do with PAM to get LDAP functional. – songei2f May 04 '11 at 12:08

i would use likewise-open to join the domain and conf the kerberos and add in the dav_svn.conf use

  <Location /svn>
    DAV svn
    SVNParentPath /srv/svn
    AuthzSVNAccessFile /etc/subversion/svn.conf
    SVNPathAuthz off
    Require valid-user
    AuthName "Domain Login"
    AuthType Kerberos
    KrbMethodNegotiate off
    KrbSaveCredentials off
    KrbVerifyKDC off

in the svn.conf add users u want to have rights on repos. be aware put the domain name in uppercase as user1@DOMAIN.LOCAL kerberos wants it like that

  • 228
  • 3
  • 4
  • 16