You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Nick Thompson <ni...@agere.com> on 2006/02/28 10:12:55 UTC

AuthzSVNAccessFile without AuthUserFile?

Hi,

apache 2.0.55, SVN 1.3.0, mod_auth_kerb-5.0-rc6

I've been trying to get windows authentication going on a Linux 
server, with a little success. I have installed mod-auth-kerb and it 
authenticates nicely using basic authentication, but using a windows 
DC to verifiy the passwords. However, now I'm trying to control 
access to the repos with and authz file. With true basic 
authentication I have this:

<Location /svn>
    DAV svn
    SVNParentPath /svn
    SVNListParentPath on
    SetOutputFilter DEFLATE
    AuthzSVNAccessFile /etc/svn-authz-file

    AuthType Basic
    AuthName "MTD DSP Software Subversion Repository"
    AuthUserFile /etc/svn-auth-file

    Require valid-user
</Location>

The Authz file then seems to work as expected. For Kerberos I have the 
following:

<Location /svn>
    DAV svn
    SVNParentPath /svn
    SVNListParentPath on
    SetOutputFilter DEFLATE
    AuthzSVNAccessFile /etc/svn-authz-file

    AuthType Kerberos
    AuthName "MTD DSP Software Subversion Repository"
    KrbAuthRealms EXAMPLE.COM
    Krb5Keytab /opt/httpd/2.0.55/conf/server.keytab
    KrbMethodK5Passwd on
    KrbMethodK4Passwd off
    KrbVerifyKDC off

    Require valid-user
</Location>

Now, the Authz module seems not to know the username. So * wildcards 
for anonymous access are working in the Authz file, but not groups or 
individual users.

The authentication works fine. If I have [/] * = rw, I can read and 
write all the repos correectly. It's only per-path permissions that 
seem to be messed up.

Fallen at the last hurdle :-( Am I on to a loser here?

--------------------------------------------------------
# works with true basic, but not kerberos
[groups]
all = nickthompson

[/]
@all = rw
--------------------------------------------------------

Regards,
-- 
> Nick Thompson

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: AuthzSVNAccessFile without AuthUserFile?

Posted by Nick Thompson <ni...@agere.com>.

D'oh

mod_auth_kerb asks for password for user nickthompson (in my example), 
but authenticates the user nickthompson@EXAMPLE.COM. So this works...

--------------------------------------------------------
# doesn't works with true basic, but does work with kerberos
[groups]
all = nickthompson@EXAMPLE.COM

[/]
@all = rw
--------------------------------------------------------

Well, hey, maybe somebody who want's to also set up windows DC 
authentication will find something useful here :-)

Nick.

On Tuesday 28 February 2006 10:12, Nick Thompson wrote:
> Hi,
>
> apache 2.0.55, SVN 1.3.0, mod_auth_kerb-5.0-rc6
>
> I've been trying to get windows authentication going on a Linux
> server, with a little success. I have installed mod-auth-kerb and
> it authenticates nicely using basic authentication, but using a
> windows DC to verifiy the passwords. However, now I'm trying to
> control access to the repos with and authz file. With true basic
> authentication I have this:
>
> <Location /svn>
>     DAV svn
>     SVNParentPath /svn
>     SVNListParentPath on
>     SetOutputFilter DEFLATE
>     AuthzSVNAccessFile /etc/svn-authz-file
>
>     AuthType Basic
>     AuthName "MTD DSP Software Subversion Repository"
>     AuthUserFile /etc/svn-auth-file
>
>     Require valid-user
> </Location>
>
> The Authz file then seems to work as expected. For Kerberos I have
> the following:
>
> <Location /svn>
>     DAV svn
>     SVNParentPath /svn
>     SVNListParentPath on
>     SetOutputFilter DEFLATE
>     AuthzSVNAccessFile /etc/svn-authz-file
>
>     AuthType Kerberos
>     AuthName "MTD DSP Software Subversion Repository"
>     KrbAuthRealms EXAMPLE.COM
>     Krb5Keytab /opt/httpd/2.0.55/conf/server.keytab
>     KrbMethodK5Passwd on
>     KrbMethodK4Passwd off
>     KrbVerifyKDC off
>
>     Require valid-user
> </Location>
>
> Now, the Authz module seems not to know the username. So *
> wildcards for anonymous access are working in the Authz file, but
> not groups or individual users.
>
> The authentication works fine. If I have [/] * = rw, I can read and
> write all the repos correectly. It's only per-path permissions that
> seem to be messed up.
>
> Fallen at the last hurdle :-( Am I on to a loser here?
>
> --------------------------------------------------------
> # works with true basic, but not kerberos
> [groups]
> all = nickthompson
>
> [/]
> @all = rw
> --------------------------------------------------------
>
> Regards,

-- 
> Nick Thompson
> Agere Systems Ltd

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org