DevHeads.net

some questions on configuring SSL and LDAP

Would someone be willing to nitpick this configuration?

The goal is setting up a self-signed certificate and enabling SSL and LDAP authentication for a subversion repository.
This configuration is located in subversion.conf
The version of Apache httpd in this subversion product is: 2.2.25

This configuration is working, but I was hoping someone might spot something I've missed or perhaps suggest some best practices?

# VirtualHost is set to: 8443 for SSL
<VirtualHost *:8443>
KeepAlive On

# This directive toggles the usage of the SSL/TLS Protocol Engine. This should be used inside a <VirtualHost> section to enable SSL/TLS for a that virtual host.
SSLEngine On
SSLCertificateFile "C:\Program Files (x86)\Subversion\Apache2\ssl\apache.crt"
SSLCertificateKeyFile "C:\Program Files (x86)\Subversion\Apache2\ssl\apache.key"

# The <Location> directive limits the scope of the enclosed directives by URL, in this case the URL of /svn
<Location /svn>

DAV svn
SVNParentPath "C:\repositories"

# Let the users browse the parent path /svn
SVNListParentPath on

# SVNParentPath and authz fix <a href="http://subversion.tigris.org/issues/show_bug.cgi?id=2753" title="http://subversion.tigris.org/issues/show_bug.cgi?id=2753">http://subversion.tigris.org/issues/show_bug.cgi?id=2753</a>
RedirectMatch ^(/svn)$ $1/

# Authentication: LDAP
Order deny,allow
Deny from All
AuthName "my auth name"
AuthType Basic
AuthBasicProvider ldap

# AuthzLDAPAuthoritative must be explicitly set because the default setting is "on" and authentication attempts for valid-user will fail otherwise.
AuthzLDAPAuthoritative off

# Note: We are only looking for users that belong to a certain OU of yadda1
AuthLDAPURL "ldap://servername.domain:389/OU=yadda1,OU=yadda,DC=domain,DC=organization,DC=gov?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=AD Query Account,OU=Service Accounts,OU=dept,DC=domain,DC=organization,DC=gov"
AuthLDAPBindPassword bind_password

# If AuthzLDAPAuthoritative was set to 'on', then you can list required users in the following directive
#Require user "me" "someotheruser"

# Grants access to any user that has successfully authenticated during the search/bind phase
Require valid-user

# Allows the request if any requirement is met (authentication OR access), can use 'all' to force both requirements
Satisfy any

# Authorization: Path-based access control; authenticated users can access paths for read/write specfied in this file.
AuthzSVNAccessFile "C:\svn_passwd\svn-auth.authz"

SVNAutoversioning on
</Location>

# Enable Subversion logging
CustomLog logs/subversion.log combined

</VirtualHost>

Leo