The following is a step by step installation of Subversion over Apache and SSL authenticating through an Active Directory server or local server accounts. BTW, I'm by no means an Apache guru so please leave a comment if I'm missing anything. And thanks to a bunch of people who I cant remember who posted info on the web that helped in compiling these steps! :)

1. Install the latest CollabNet Win32 distribution found here.
   1. Make sure that only the Apache (MOD_DAV_SVN) component is checked.
      
   2. Set the Apache configuration. You can set an arbitrary http port for now; it will change when SSL is setup.  Also remember to check the “Install Apache … as a Windows Service” checkbox. The other two options should be set accordingly.
      
2. Create a test repository
   1. Open a command prompt and run the following command from the CollabNet installation folder (C:\Program Files\CollabNet Subversion Server\) to create a test repository:
      svnadmin create d:\temp\Repos\mysweetapp
3. Test Connectivity
   1. Start the Apache service; it should be called Apache2.
   2. Browse to the test repository at http://localhost:1984/mysweetapp with a Subversion client and create a folder to verify that everything is setup correctly.
4. Install and Configure the SSPI module
   1. Download the SSPI module from here. You will want to match the major and minor Apache build with the version number trailing the SSPI module version number. For example mod_auth_sspi-1.0.4-2.0.58.zip would be for Apache 2.0.x and mod_auth_sspi-1.0.4-2.2.2.zip would be for Apache 2.2.x (Thanks to Dan Switzer for pointing this out, I totally missed that!). After unzipping the contents if the zip, copy the mod_auth_sspi.so (In the bin folder) into the Apache modules folder (C:\Program Files\CollabNet Subversion Server\httpd\modules).
   2. Open the httpd.conf file in the Apache configuration folder (C:\Program Files\CollabNet Subversion Server\httpd\conf)
   3. Add the following line to (Or uncomment it in) the Apache configuration file (httpd.conf) in the LoadModule section:
      LoadModule sspi_auth_module modules/mod_auth_sspi.so
   4. Add the following settings, under “# Active Directory Auth”, to the location section. Be sure to specify the SSPIDomain which can be an AD domain or the local server name. If it is the local server name the local user accounts will be used to authenticate. You can use this option if there is no AD server.
           <Location />
                DAV svn
                SVNParentPath D:/Temp/Repos
       
                # Active Directory Auth
                AuthName "SVN Server"
                AuthType SSPI
                SSPIAuth On
                SSPIAuthoritative On
                SSPIDomain localhost
                SSPIOfferBasic on
                Require valid-user
           </Location>
   5. Restart the Apache2 service after the httpd.conf file has been saved.
   6. Perform the test noted in step #3 to test connectivity, this time logging in with a user from the domain specified above.
   7. Note that in TortoiseSVN  you can check the “Save Authentication” checkbox to avoid having to repeatedly enter your credentials:
      
5. Configure SSL
   1. Create the Certificate
      1. Create an OpenSSL configuration file under the Apache bin folder (C:\Program Files\CollabNet Subversion Server\httpd\bin) called openssl.conf and set its contents as follows:
              [ v3_ca ]
              subjectKeyIdentifier = hash
              authorityKeyIdentifier = keyid:always,issuer:always
              basicConstraints = CA:true
              [ req ]
              default_bits  = 1024
              default_keyfile  = svnserver.key
              distinguished_name = req_distinguished_name
              attributes  = req_attributes
              x509_extensions = v3_ca 
              string_mask  = nombstr
              [ req_distinguished_name ] 
              commonName  = Common Name
              commonName_default = My Server Name
              [ req_attributes ]
      2. Open up a command prompt in the Apache bin folder (C:\Program Files\CollabNet Subversion Server\httpd\bin).
      3. Run the following command to generate the private key and certificate request files. Be sure to enter the ip address or DNS name of the server when prompted for the common name. Also remember the pass phrase you entered as it will be required for the following step. This will create a svnserver.csr and svnserver.key file in the Apache bin folder.
               openssl req -config openssl.conf -new -out svnserver.csr
         
      4. Remove the passphrase from the private key with the following command. Enter the passphrase you specified in the last step.
              openssl rsa -in svnserver.key -out svnserver.key
         
      5. Create the self signed certificate with the following command. The following command sets the certificate expiration to 20 years.
              openssl x509 -in svnserver.csr -out svnserver.cert -req -signkey svnserver.key -days 7300
         
      6. Delete the svnserver.csr in the Apache bin folder.
      7. Copy the svnserver.key and svnserver.cert from the Apache bin folder to the Apache conf folder.
   2. Open the httpd.conf file in the Apache configuration folder (C:\Program Files\CollabNet Subversion Server\httpd\conf).
   3. Change the listen port to 443:
           Listen 443
   4. Change the server name to include the SSL port, 443:
           ServerName localhost:443
   5. Uncomment or add the load module directive for mod_ssl:
           LoadModule ssl_module modules/mod_ssl.so
   6. Create or overwrite the following IfModule section so that it appears as follows:
           <IfModule mod_ssl.c>
                  SSLEngine on
       
                  SSLRandomSeed startup   builtin
                  SSLRandomSeed connect   builtin
                  SSLPassPhraseDialog     builtin
                  SSLSessionCache         dbm:logs/ssl_scache
                  SSLSessionCacheTimeout  300
                  SSLMutex                default
                  SSLCertificateFile      conf\svnserver.cert
                  SSLCertificateKeyFile   conf\svnserver.key 
            </IfModule>
   7. Restart the Apache2 service.
   8. Browse to https://localhost/mysweetapp and create a folder to test the configuration.
   9. Note that in TortoiseSVN you can permanently accept the certificate when this dialog appears. It is warning you that the issuer is not a trusted root authority.
      

Zipped source files are getting really lame! I found a hosted Subversion solution (wush.net) for about 7 bucks a month and am hosting all the source code for the Labs there. The setup was very simple and I was up and running in about 15 minutes. The starter package gives you 1 repository and 100mb of space, plenty for personal use. You can browse the repository here with a web browser, but the best way to access it is using a Subversion client such as TortoiseSVN.

The following steps outline how to install and configure Subversion v1.4.

1. Download the latest subversion package from here (Described as "Windows installer with the basic win32 binaries").

2. Using svnadmin (In the Subversion bin folder) create a new repository: svnadmin create drive:\my\repository\path

3. Setup the Subversion server as a windows service as specified here. If you want to store repositories on drives other than the drive the subversion service is running on or you would like access to be restricted to a certain path you will need to specify a repository root. This can be specified in the service setup.

4. Configure security as specified here.

5. Install a Subversion client such as TortuousSVN and test access to the repository: svn://MyServer/MyRepo

I want to start off by saying that I am running subserve v1.4 as a Windows service. From what I have read configuration may be somewhat different when using httpd, SSH or on another OS. So the following may or may not fully apply to other access methods, versions or OS’s.

svnserve.conf

The first repository security configuration file you will encounter is the svnserve.conf file. It appears that Subversion looks for this file specifically under the “conf” folder within the repository tree. I don’t believe there is a way to configure this path or the filename it looks for. This file has only one section called “general”. It contains 5 basic security settings. The settings are as follows:

anon-access: Valid values for this setting are read, write or none. This value specifies repository wide access for anonymous users. If there is a conflict with this setting and with folder permissions specified in the authz file, the most restrictive permission is applied.

auth-access: Valid values for this setting are read, write or none. This value specifies repository wide access for authenticated users. If there is a conflict with this setting and with folder permissions specified in the authz file, the most restrictive permission is applied.

password-db: This specifies a path to a user database. This can be an absolute path (“C:\config\passwd”) or a relative path (“..\..\config\passwd”). If no path is specified only anonymous access will be supported. Only the anon-access permission will be in force.

authz-db: This specifies a path to a folder permissions database. This can be an absolute path (“C:\config\authz”) or a relative path (“..\..\config\authz”). If no path is specified then path based permissions are not applied. Only the anon-access and auth-access permissions will be in force.

realm: This is a string that serves as a unique identifier which identifies a realm or security domain the repository is associated with. A realm is basically the user base contained in the user database (passwd file). Each repository that shares a single user database should have the same realm specified. So for example if you had a user database at “C:\config\passwd” which was used by three repositories, all three repositories should have the same realm specified.

passwd

The second file you will encounter is the user database. The name of this file is passwd by default but can be anything. If user authentication is desired the path to this file must be set in the password-db setting in the svnserve.conf file. If no path is set for this setting, no user authentication will take place. The user database can be shared by multiple repositories. Each repository that shares a single user database should have the same realm specified. The user database contains only one section called “users”. The settings in this group are username/password pairs. For example:

[users]
bsimpson = R@dio@ctiveM@n
lsimpson = Bl33dingGumsMurphy
mburns=Smith3rs
djquimby=V0t3Quimby

authz

The third file you will encounter is the path based permissions database. The name of this file is authz by default but can be anything. If path based permissions are desired the path to this file must be set in the authz-db setting in the svnserve.conf file. This file defines user groups and path permissions. The first section in this file is called “groups”. Here you can specify groups and their membership. Each setting is a group name and a comma separated user list. It does not appear that white space in this list causes any problems. Unfortunately as of  Subversion 1.4 you cannot specify user groups in the user database (passwd), only in this file. Here is an example of the “groups” section:

[groups]
admin = mburns, djquimby
users =  bsimpson, lsimpson

The sections that follow are path specific permissions. The section name is the path. The path begins with a forward slash but must not end with one. Evidently (As of Subversion 1.4) the “repository” prefix for repository specific permissions (IE: [repository:/yada/yada]) is ignored when using svnserve to access repositories. It appears that it is only recognized when using the httpd access method. So separate files would have to be maintained to provide repository specific folder permissions. Otherwise if identical paths existed in two or more repositories the permissions for those paths would be identical, there would be no way to differentiate them. Each path permission section contains members which could be a group name prefixed with an ampersand (@), wildcard (*) denoting all users (Including anonymous) or simply a username. The permissions are ‘r’ for readonly, ‘rw’ for read/write or ‘’ (Blank) for no access (Including anonymous users). Permissions are inherited from the parent folder if no permissions are specified for a particular path. If permissions conflict, the least restrictive permissions are applied. Here is an example of path permissions:

[/common]
* = rw

[/config/admin]
@admin=rw
lsimpson=r

[/docs]
@users=rw
@admin=rw

[/secure]
@admin=r
@users=

I am running svnserve as a windows service on our build server. I thought it was pretty cool that you could point repositories to central security configuration files. This is really nice if you have multiple repositories, only two files to maintain for each relm. Problem is though that when you set a repository specific folder permission ([repository:/yada]) in the authz file it is totally ignored. For example:

[repository:/reporoot/repo1]
@group1=rw

[repository:/reporoot/repo2]
@group2=rw

This does nothing! I did a little searching on "the google" and evidently the repository specific prefix only works with httpd access. For svnserve access you have to specify an authz file for each repository to specify repository specific permissions. Posts here and here discuss this issue.

Previously (Prior to v1.4) the Subversion server (svnserve.exe) couldn’t be natively run as a Windows service. You had to use a wrapper such as srvany.exe from the Windows res kit to host it. Well now as of v1.4 it will run as a service but you have to manually install it. Doing this is pretty simple; just use the sc utility to add it at the command line as follows. The first svnserve switch (--service) notifies it that it should communicate with the SCM. The second (-r), which is optional, allows you to specify the root repository path.

C:\>sc create SubversionServer binpath= "\"C:\Program Files\Subversion\bin\svnserve.exe\" --service -r  e:\Subversion\RootRepo" displayname= "Subversion Server" depend= Tcpip start= auto

C:\>sc start SubversionServer

You can find the release notes about this new feature here.