Platinum Solutions Corporate Website
Home » Blogs » Christopher Pierce's blog

Reuse Bugzilla accounts in Subversion with mod_auth_mysql

Thu, 2006-02-09 11:10 in

I was recently setting up a development environment with the intent of using Bugzilla and Subversion (via WebDAV).

I needed to create/maintain user accounts for these systems, which was easy enough in Bugzilla, since it has a user maintenance front end.   Subversion uses Apache's authentication mechanism, which meant running "htpasswd" to create each user along with their password.

But I had some issues with this configuration:

  1. Ideally, I didn't want users to have to remember two passwords for Bugzilla and Subversion.  But the problem is that users maintain their own password in Bugzilla via the web interface.  Once they change it, Bugzilla and Subversion passwords are out of sync.
  2. If a user wanted to change their Subversion password they would have to tell it to me so I could change it via htpasswd.  For liability reasons, I don't want to know the user's password.  I want them to be able to change it on their own, but I also don't want to give them access to the htpasswd file.

A quick and easy solution was to configure Apache to use the Bugzilla user table (stored in MySQL) to authenticate users.  This can be done using the Apache module "mod_auth_mysql".

Bugzilla stores user data on a table called "profiles".  The user id is stored in a column called "login_name", and the password is stored in a column called "cryptpassword".   The password is encrypted using Pearl's "crypt" command (which appears to create a UNIX hashed password).  We don't need to worry about the encryption though; mod_auth_mysql will handle that for us.

The "profiles" table also has a column called "disabledtext".  If this field is not empty, then the user has been disabled (so we probably don't want to allow them access to Subversion). 

The first thing I had to do was get "mod_auth_mysql".  I'm running Fedora Core 4, so I used "yum" to install the package:

> yum install mod_auth_mysql

This automatically created an "auth_mysql.conf" file for me in /etc/httpd/conf.d/ directory.  All this file does is load the module with the line:

LoadModule mysql_auth_module modules/mod_auth_mysql.so

Next, I had to reconfigure my Subversion entry in the httpd.conf file.

In my httpd.conf file I have an entry that looks like this:

#Subversion
<Location "/repos">
  DAV svn
  SVNParentPath /path/to/repo
  AuthzSVNAccessFile /path/to/accessfile
  
  AuthName "SVN Auth"
  AuthType Basic
  
  AuthMySQLUser bz_mysql_user
  AuthMySQLPassword bz_mysql_password
  AuthMySQLDB bugs
  AuthMySQLUserTable profiles
  AuthMySQLNameField login_name
  AuthMySQLPasswordField cryptpassword
  AuthMySQLUserCondition "disabledtext = ''"
  
  require valid-user

</Location>

 You would have to specify your own value for "bz_mysql_user" and "bz_mysql_password" based on the values you used when you configured Bugzilla.

 And that's it.  When your user tries to access the Subversion repository, they will be prompted for their Bugzilla user id (which is their email address, I don't like that so much) and password.

  Warning: If you don't have a Subversion "Access File" in place, than all your Bugzilla users will have write access to the repository.  You probably don't want that.  I have an access file that denies access to all but a configured list of users (actually 2 lists: a read list and a read/write list). After I create a user in Bugzilla, I still have one extra step of adding that user's ID to the access file, assuming I want them to have access Subversion.

Comments

Andrew Chung (not verified) Wed, 1969-12-31 19:00

I just spent hours trying to figure out why I couldn't get the integration working and I hope this will help someone. For the AuthzSVNAccessFile, make sure it is readable by your apache process. I had copied one from another repository on the same server but the permissions got changes to root:root, 640. Apache couldn't read the file so it returned 403 FORBIDDEN errors when I tried to access the SVN repository through https.

Masoud Moshref (not verified) Wed, 1969-12-31 19:00

I used this tip with Drupal CMS using the user and users_roles table like this link:
http://drupal.org/node/222201

But I had some problems installing auth_mysql in apache 2.2 and Debian 8.04; however I solved it by compiling the source code!!

Mahendra Patil (not verified) Wed, 1969-12-31 19:00

After following all above steps , if you are not able to access the repos as
http:///repos/

i.e. Authentication box appers and not able to login

Following may be possible errors

a) mysql runnig on different port , then define
AuthMySQLPort

b) mysql sock located at diff place
Varfify location of myssql.sock And Define
AuthMySQLSocket

c) If mysql running on diff machine then define
AuthMySQLHost

Jason Tobiasz (not verified) Wed, 1969-12-31 19:00

Has anyone gotten this to work with a Windows OS?

I have Bugzilla on a different server so I modified my httpd.conf to:


DAV svn
SSLRequireSSL
SVNPath "[repository location]"

AuthName "Bugzilla"
AuthType Basic

AuthMySQLEnable On
AuthMySQLHost [mysql server IP]
AuthMySQLUser [account with granted privs.]
AuthMySQLPassword [pw]
AuthMySQLDB [database]
AuthMySQLUserTable profiles
AuthMySQLNameField login_name
AuthMySQLPasswordField cryptpassword
AuthMySQLUserCondition "disabledtext = ''"

require valid-user

AuthzSVNAccessFile [access file]

I get the authentication screen, but unfortunately, it cannot authenticate the user against the database. Also, when this location is added, none of my other web locations will work either. Any thoughts?

Marcel Loose (not verified) Wed, 1969-12-31 19:00

When using Apache 2.2, you might be faced with an internal server error when a user tries to authenticate using a MySQL database. You will find errors like the following in your apache error log:

[Wed Aug 15 17:22:44 2007] [error] Internal error: pcfg_openfile() called with NULL filename
[Wed Aug 15 17:22:44 2007] [error] [client 10.87.2.131] (9)Bad file descriptor: Could not open password file: (null)

It took me almost three hours to find the solution, so hopefully someone else may benefit from this. The solution is to add the following line to the Subversion <Location> section in your conf file:
AuthBasicAuthoritative Off

Gunnar Wagenknecht (not verified) Wed, 1969-12-31 19:00

Did you manage to limit SVN access to Bugzilla users which only belong to a particular group (eg. "editbugs")?

Joshua Smith (not verified) Wed, 1969-12-31 19:00

Christopher-
Thanks for documenting this. Your post and follow up comments were invaluable in configuring my Bugzilla and Subversion installations. I've now got them up and running on RedHat ES 4.
Thanks,
Joshua Smith

 

Ryan (not verified) Wed, 1969-12-31 19:00

I'd really like to get this working on my system. Unfortunately, I'm using windows xp, so I'm not able to follow along 100% with what you've done. However, I finally found a win32 binary of the *.so file you mentioned that doesn't make my Apache install take a dump. When I go to the subdirectory I've setup (http://localhost/svn) I do get a popup requesting my password, but when I give it the right stuff, I get a 500 error. Must I use the SVN Access File? Or is something else the matter? Maybe I still don't have a good copy of the mod_auth_mysql.so file? I'm running Apache 2.0.59 and am using a version of mod_auth_mysql.so that was bundled with an older (Apache 2.0.55) version of XAMPP.

Christopher Pierce Wed, 1969-12-31 19:00

No, you shouldn't be required to use an SVN Access File.

Since my post, I had an OS upgrade (from Fedora Core 4 to 5) which gave me newer versions of Apache and mod_auth_mysql.  Since my post, I had to add the following line to my configuration to get mod_auth_mysql to work:

AuthMySQLEnable on

Without this, it would just keep asking your for your User Name and Password, without ever letting you in.

But your getting a 500 (Internal Server) error.  Your Apache log file should have some information about what the actual problem is.

To troubleshoot, I'd try try to figure out whether the problem is mod_auth_mysql or the Subversion modules (mod_authz_svn and mod_dav_svn).

Try configuring your SVN repository to use htpasswd files for authentication and see if you can access your repositories.  If you can, than we know the the SVN modules work.

Them configure mod_auth_mysql to protect a regular directory with some html files, and see if you can access them.  If you can, than we know mod_auth_mysql works.

You can try playing around with other mod_auth_mysql configuration parameters.  You can find them all in the documentation:

http://modauthmysql.sourceforge.net/CONFIGURE

 

 

Anonymous (not verified) Wed, 1969-12-31 19:00

Please send me which version of mod_auth_mysql u have used. Please send me the link also.

I am able to authenticate through plain passwords and  not through encryption form. 

 

Christopher Pierce Wed, 1969-12-31 19:00

I'm currently using mod_auth_mysql v.3.0..0

I'm using Fedora (Core 5), and I got my version of mod_auth_mysql by using the "yum" tool as I mentioned in my post.

Did you try specifying the "crypt" algorithm in the configuration via the "AuthMySQLPwEncryption" parameter. (I didn't have to, but I guess it doesn't hurt to try) 

You can see all the other available algorithms (plus all the other available configuration options) for mod_auth_mysql at:

http://modauthmysql.sourceforge.net/CONFIGURE

Steve (not verified) Wed, 1969-12-31 19:00

Thanks for your little tutorial. I spent some time to work through a similar setup with XOOPS as I wanted to manage users through the XOOPS CMS. Unfortunately I did not have the same success. I am glad to see someone else successfully work the same idea.

 

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.

More information about formatting options