LDAPS Integrated SVN with Ubuntu 10.04 LTS
And now for something completely different!
I'm a firm believer in the right tool for the job, and when I was recently placed in charge of a couple of development efforts I wanted to make sure the right tools were in place to do my job effectively. The first tool that I needed was a revision control system so that we could keep track of changes. It used to be that CVS was the common choice, but from my quick and dirty research it looked SVN had taken the top spot (later, as it turns out, there are some pretty heated debates about this... some people will tell you git or mercurial).
Since SVN was going to be the system of choice, I decided to put it together on a Linux based virtual machine - mainly because I'm a Windows systems administrator by trade and I like to keep all of my skills sharpened. Some may say it is foolish - especially with such an important system - to run it on a platform that is unfamiliar. The beauty of subversion is that it runs on more than one platform (Windows, even) and you can migrate easily if needed.
The biggest requirement I had was integrating SVN with LDAP(S). I wanted to be able to control access, but through Active Directory and not some sort of file on my SVN server. As it turns out, it wasn't too difficult to do - once I figured out how to do it 
. Here are the commands in a nutshell (all of these commands are to be run as a root user - sudo or just logged in as root doesn't matter):
Install subversion and apache2 with the SVN module:
apt-get install subversion
apt-get install apache2 libapache2-svn
Enable the SVN Apache module:
a2enmod authnz_ldap
Since I use a self-signed certs and I'm too lazy to install my SSL chain, I have to turn off Apache's checks (you may not want to do this). Add to the end of /etc/apache2/apache2.conf:
LDAPVerifyServerCert Off
After troubleshooting, you need to set this in your /etc/ldap/ldap.conf file to avoid errors similar to "[warn] [client x.x.x.x] [636] auth_ldap authenticate: user foo authentication failed; URI /secret [ldap_search_ext_s() for user failed][Operations error]"
REFERRALS off
Now, you need to add it to your apache2 configuration so that you can access it via http. You will need to edit this to suit your own needs, I hope it's relatively self-explanatory, but I've made some comments in red. Add this after your last </directory> statement:
DAV svn
SVNParentPath /data/svn - Your SVN repository data
SVNListparentPath on
SVNAutoversioning On
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthName "svn"
AuthUserFile /dev/null
AuthLDAPURL "ldaps://DOMAINCONTROLLER/DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" - You want this pointed at your base DN. Also, some (even most) of you may not be running LDAPS (SSL LDAP) - you may need to change this to ldap://.
AuthLDAPBindDN "DOMAIN\User" - Any user will do, since by default Windows allows any user to query active directory for auth. I suggest making a separate user for just this.
AuthLDAPBindPassword Password
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group cn=svn,ou=securitygroups,ou=IT,dc=domain,dc=com - This is optional, but allows you to limit SVN access to a specific group.
Once you're done, it's time to create your first repository:
svncreate /data/svn firstrepository
Now you need to change the owner to www-data so apache2 can read/write it:
chown -R www-data svn
chgrp -R www-data svn
chmod -R g+rws svn
And voila! You should be able to go to http://yourIPorHostname/svn and view your first repository!
Sync Active Directory with Postini
About a year ago I had the opportunity to set up Postini for my organization as a part of my Exchange 2007 setup/migration.
I selected Postini as our anti-spam service - mainly because our users were already used to the interface. One of the biggest challenges during planning was how to keep Postini current with my organizations mailboxes. I could let Postini create an account when an email is received, but that sounded like a really bad idea. Thankfully, in my research I found out about an application that will sync AD to Postini: Google Apps Directory Sync for Email Security.
The tool isn't overly difficult to set up, but it does have a few quirks that I feel I should share - especially since Postini's paid support is awful. We paid $750 for support and when I needed help getting it working I was informed that they didn't support syncing and referred me to knowledge base articles. I managed to figure it out on my own (on time!) and I've had it working perfectly ever since. Below you can find some set up information that may help you. Please keep in mind that this setup works in my environment and may not work in yours.
Once you download the application (link above), you will need to create a "profile" that you will use to run the syncing application.
The first screen you will see is Authentication. This is where you input your administrator login for your Postini organization.
The second screen you will see is Orgs - you can select a specific organization to sync to (for instance, if you had multiple domains). I have it set to "All users in all orgs under your account," and it works perfectly with a 3 org nested setup like mine.
Exclusion filters. I don't use these, but it will allow you to exempt accounts from being syncronized.
LDAP settings: This is where you input your Active Directory information. You can use either LDAP or LDAPS (SSL LDAP). If you opt to use LDAPS, don't forget to change the port to 636. Input a domain controller IP under Host Name, add in your base domain - for example: DC=subdomain,DC=domain,DC=com. Authentication is an account with read access to your AD - use the DOMAIN\user format.
For LDAP User Attributes, select MS Active Directory. The email address attribute is "mail." Alias Address Attributes are "proxyAddresses."
For user sync - this is an important part: If you don't add a search string for users, it will also pull computer accounts. It won't add them, but it will error your log report. I added my Org Name, SUBTREE, (sAMAccountType=805306368) - this will filter out everything, but users. You could add any kind of filter you wanted here. More about LDAP filters.
Mailing Lists - I don't sync them. They are almost all internal only. Since you have to also make a change in Exchange 2007 to allow for non-authenticated users, I make exceptions for dist lists through the web interface for public facing mailing lists. This is up to you.
Notification - This will email you a report every time it runs that tells you if there were any errors, how many users were added/removed, etc. I recommend this.
Delete limit - I have this left at the default 5% - I can see the wisdom in this setting
Log files - lets you set the file path/limit on the synchronization log. I left as is.
Now you should be done. Go ahead and run the sync simulation. At the bottom of the log in the Sync Log tab, you should see: Simulation completed successfully - good job! Go ahead and save the profile by going to the file menu to a location you will remember easily.
The sync tool will not run automatically on its own - and for that I set up a scheduled task that runs every day at midnight and runs a cmd script that contains the following:
sync-cmd -a -c emailsync.xml
WAIT
sync-cmd is located in your Postini sync tool location - most likely C:\Program Files\Google Apps Directory Sync for Email Security. The -a option commits the changes and the -c option specifies the configuration file you created above. Voila! Every midnight you should get an email letting you know what has changed.
Hope that helps!