You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Christopher Mason <Ma...@mayo.edu> on 2006/02/15 21:50:19 UTC
svn/spnego
--On Wednesday, February 15, 2006 1:03 PM -0800 Emily Stumpf
<em...@ucdavis.edu> wrote:
> Did you ever post details on [authenticating subversion with spnego
> on windows]? :)
Emily-
No, but now that subversion 1.3 is out this should be a bunch easier.
Before you had to build a version of subversion that used neon 0.25,
but subversion 1.3 uses this by default. I just downloaded and tried
it and it seems to work.
You'll need:
apache (I have version 2.0.53)
mod_auth_kerb (I have 5.0rc6)
subversion >=1.3 (must be compiled against neon >= 0.25, but the
win32 builds on subversion.tigris.org are)
I use the following in my httpd.conf:
<Location /testsrc>
DAV svn
SVNPath /var/testsrc
AuthType Kerberos
KrbAuthRealms MFAD.MFROOT.ORG
Krb5Keytab /etc/httpd/conf/httpd.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd on
KrbSaveCredentials On
AuthName "Authorization Realm"
Require valid-user
</Location>
You'll need to create a keytab file with a service principal for HTTP
(not http). If you can get, eg, firefox[1] to access a URL
configured like /testsrc above, then you should be set. Google for
mod_auth_kerb and this should get you started.
One caveat: you must use the fully qualified domain name for this to
work. The reasons for this are arcane (SPN canonicalization) and not
worth explaining.
Hope this helps,
-c
[1] Make sure you enable spnego in firefox.
--
[ Christopher Mason MPRC Bioinformatics http://proteomics ]
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svn/spnego
Posted by Emily Stumpf <em...@ucdavis.edu>.
Hum. Now, I've got it working on linux just fine, and almost on OS X,
but windows is still not working. It might be how I'm trying to enable
SPNEGO in Firefox?
Per this site:
http://open.itworld.com/5037/book_050425firefoxhacks/page_1.html
.. Down in the middle of of Hack #14
By going to about:config I set both of these to my svn server
("myserver.ucdavis.edu"):
|network.negotiate-auth.trusted-uris /* defaults to empty string */
network.negotiate-auth.delegation-uris /* defaults to empty string */|
Does that sound about right? I would Love to be directed to directions
for Internet Explorer/Firefox, if this does not sound right.
Thanks for any info!
Christopher Mason wrote:
>
> --On Wednesday, February 15, 2006 1:03 PM -0800 Emily Stumpf
> <em...@ucdavis.edu> wrote:
>
>> Did you ever post details on [authenticating subversion with spnego
>> on windows]? :)
>
>
> Emily-
>
> No, but now that subversion 1.3 is out this should be a bunch easier.
> Before you had to build a version of subversion that used neon 0.25,
> but subversion 1.3 uses this by default. I just downloaded and tried
> it and it seems to work.
>
> You'll need:
>
> apache (I have version 2.0.53)
> mod_auth_kerb (I have 5.0rc6)
> subversion >=1.3 (must be compiled against neon >= 0.25, but the
> win32 builds on subversion.tigris.org are)
>
> I use the following in my httpd.conf:
>
> <Location /testsrc>
> DAV svn
> SVNPath /var/testsrc
> AuthType Kerberos
> KrbAuthRealms MFAD.MFROOT.ORG
> Krb5Keytab /etc/httpd/conf/httpd.keytab
> KrbMethodNegotiate On
> KrbMethodK5Passwd on
> KrbSaveCredentials On
> AuthName "Authorization Realm"
> Require valid-user
> </Location>
>
> You'll need to create a keytab file with a service principal for HTTP
> (not http). If you can get, eg, firefox[1] to access a URL configured
> like /testsrc above, then you should be set. Google for mod_auth_kerb
> and this should get you started.
>
> One caveat: you must use the fully qualified domain name for this to
> work. The reasons for this are arcane (SPN canonicalization) and not
> worth explaining.
>
> Hope this helps,
>
> -c
>
>
> [1] Make sure you enable spnego in firefox.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org