You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Craig McQueen <mc...@edsrd1.yzk.co.jp> on 2008/12/05 01:55:42 UTC
Multiple authentication sources
Hello all,
The following doc says that a Windows Apache server can be set up to
authenticate against both Windows SSPI and a password file:
http://tortoisesvn.net/docs/nightly/TortoiseSVN_en/help-onepage.html#tsvn-serversetup-apache-6
I'm trying to get this working on a Windows Apache 2.2 server, but
without success. SSPI works on its own, and the password file works on
its own. But if I try to use both together, as described, then
authenticating against the SSPI works but authenticating against the
password file fails.
I'm wondering: does this solution simply not work on Apache 2.2.x due to
changes to the authentication/authorization setup in Apache 2.2.x?
I'm interested to know if anyone else has tried this on Apache 2.2.x,
and if you ended in success or failure.
Regards,
Craig McQueen
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=979914
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: Multiple authentication sources
Posted by Frank Gruman <fg...@verizon.net>.
On Wed, 2008-12-10 at 14:09 +0900, Craig McQueen wrote:
> Frank Gruman wrote:
>
> > On Mon, 2008-12-08 at 11:24 +0900, Craig McQueen wrote:
> >
> >
> > > Frank Gruman wrote:
> > >
> > >
> > > > On Fri, 2008-12-05 at 13:29 -0600, Alec Kloss wrote:
> > > >
> > > >
> > > >
> > > > > On 2008-12-05 10:55, Craig McQueen wrote
> > > >
> > > > I've successfully implemented multiple authentication sources, but I
> > > > believe the current limitation (until Apache 2.3/2.4 is released) is
> > > > that they must all be of the same type (AuthType Basic or AuthType
> > > > SSPI). In my case, I was able to do basic authentication with a file
> > > > and LDAP.
> > > >
> > > > But I thought it would still be possible. I found a sample config here
> > > > -
> > > > http://osdir.com/ml/version-control.subversion.ankhsvn.general/2006-04/msg00037.html
> > > >
> > > >
> > > > <Location /svn/>
> > > > DAV svn
> > > > SVNParentPath "/srv/svn/my_projects"
> > > >
> > > > AuthName "Subversion Repositories"
> > > > Require valid-user #this is all authenticated users on
> > > > domain
> > > > AuthAuthoritative Off #enables multiple authorities
> > > >
> > > > AuthType SSPI
> > > > SSPIAuth On
> > > > SSPIAuthoritative Off
> > > > #SSPIAuthoritative On - Forces only SSPI auth, skips passwd
> > > > file
> > > > SSPIOmitDomain On
> > > > SSPIDomain MY_AD_DOMAIN
> > > > SSPIOfferBasic On
> > > >
> > > > AuthType Basic
> > > > AuthUserFile "/srv/svn/auth/basic_users"
> > > >
> > > > AuthzSVNAccessFile "/srv/svn/auth/svn_users"
> > > >
> > > > </Location>
> > > >
> > > > Regards,
> > > > Frank
> > > >
> > > >
> > >
> > > That configuration looks like it's good for Apache 2.0, but not 2.2.
> > > The "AuthAuthoritative" directive is no longer used in 2.2. My
> > > configuration looks very similar to that, except that instead of
> > > AuthAuthoritative, I have AuthBasicAuthoritative. But it doesn't work,
> > > as I previously described. Does anyone have a configuration that works
> > > specifically on Apache 2.2?
> > >
> > > Regards,
> > > Craig McQueen
> > >
> > >
> > >
> > >
> >
> > Ahh - so right you are on the version - sorry for wasting your cycles...
> >
> > Could you post the relevant portion of your config file for us to look
> > at? The only thing that I can really see that mattered in the notes on
> > the link you provided in your original post is to make sure to specify
> > that neither authentication mechanism is to be authoritative. Had I not
> > read the instructions twice (or thrice) I would have missed that in my
> > own configuration.
> >
> > At the very least, if you can't see the issue perhaps another on the
> > list will see the nefarious command keeping you from your goals.
> >
> > Regards,
> > Frank
> >
> >
>
> Here it is:
>
> <Location /svn/>
> Options Indexes FollowSymLinks
>
> DAV svn
> SVNListParentPath on
> SVNParentPath C:/SVN/Repositories
> #SVNIndexXSLT "/svnindex.xsl"
> SSLRequireSSL
>
> # Keep these in sync with location /websvn below
> AuthName "Subversion repositories"
>
> AuthType Basic
> AuthBasicAuthoritative Off
> AuthUserFile c:/SVN/conf/htpasswd
>
> AuthType SSPI
> SSPIAuth On
> SSPIAuthoritative Off
> SSPIDomain OURDOMAIN
> #SSPIOmitDomain on
> #SSPIUsernameCase lower
> #SSPIPerRequestAuth on
> SSPIOfferBasic On
>
> Require valid-user
> #SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
>
> SVNPathAuthz Off
> #AuthzSVNAccessFile c:\SVN\conf\svnaccessfile
> </Location>
>
>
Excellent! Thanks for posting back and letting us all know what worked!
Regards,
Frank
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=982054
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=982465
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: Multiple authentication sources
Posted by Frank Gruman <fg...@verizon.net>.
On Wed, 2008-12-10 at 14:09 +0900, Craig McQueen wrote:
> Frank Gruman wrote:
>
> > On Mon, 2008-12-08 at 11:24 +0900, Craig McQueen wrote:
> >
> >
> > > Frank Gruman wrote:
> > >
> > >
> > > > On Fri, 2008-12-05 at 13:29 -0600, Alec Kloss wrote:
> > > >
> > > >
> > > >
> > > > > On 2008-12-05 10:55, Craig McQueen wrote
> > > >
> > > > I've successfully implemented multiple authentication sources, but I
> > > > believe the current limitation (until Apache 2.3/2.4 is released) is
> > > > that they must all be of the same type (AuthType Basic or AuthType
> > > > SSPI). In my case, I was able to do basic authentication with a file
> > > > and LDAP.
> > > >
> > > > But I thought it would still be possible. I found a sample config here
> > > > -
> > > > http://osdir.com/ml/version-control.subversion.ankhsvn.general/2006-04/msg00037.html
> > > >
> > > >
> > > > <Location /svn/>
> > > > DAV svn
> > > > SVNParentPath "/srv/svn/my_projects"
> > > >
> > > > AuthName "Subversion Repositories"
> > > > Require valid-user #this is all authenticated users on
> > > > domain
> > > > AuthAuthoritative Off #enables multiple authorities
> > > >
> > > > AuthType SSPI
> > > > SSPIAuth On
> > > > SSPIAuthoritative Off
> > > > #SSPIAuthoritative On - Forces only SSPI auth, skips passwd
> > > > file
> > > > SSPIOmitDomain On
> > > > SSPIDomain MY_AD_DOMAIN
> > > > SSPIOfferBasic On
> > > >
> > > > AuthType Basic
> > > > AuthUserFile "/srv/svn/auth/basic_users"
> > > >
> > > > AuthzSVNAccessFile "/srv/svn/auth/svn_users"
> > > >
> > > > </Location>
> > > >
> > > > Regards,
> > > > Frank
> > > >
> > > >
> > >
> > > That configuration looks like it's good for Apache 2.0, but not 2.2.
> > > The "AuthAuthoritative" directive is no longer used in 2.2. My
> > > configuration looks very similar to that, except that instead of
> > > AuthAuthoritative, I have AuthBasicAuthoritative. But it doesn't work,
> > > as I previously described. Does anyone have a configuration that works
> > > specifically on Apache 2.2?
> > >
> > > Regards,
> > > Craig McQueen
> > >
> > >
> > >
> > >
> >
> > Ahh - so right you are on the version - sorry for wasting your cycles...
> >
> > Could you post the relevant portion of your config file for us to look
> > at? The only thing that I can really see that mattered in the notes on
> > the link you provided in your original post is to make sure to specify
> > that neither authentication mechanism is to be authoritative. Had I not
> > read the instructions twice (or thrice) I would have missed that in my
> > own configuration.
> >
> > At the very least, if you can't see the issue perhaps another on the
> > list will see the nefarious command keeping you from your goals.
> >
> > Regards,
> > Frank
> >
> >
>
> Here it is:
>
> <Location /svn/>
> Options Indexes FollowSymLinks
>
> DAV svn
> SVNListParentPath on
> SVNParentPath C:/SVN/Repositories
> #SVNIndexXSLT "/svnindex.xsl"
> SSLRequireSSL
>
> # Keep these in sync with location /websvn below
> AuthName "Subversion repositories"
>
> AuthType Basic
> AuthBasicAuthoritative Off
> AuthUserFile c:/SVN/conf/htpasswd
>
> AuthType SSPI
> SSPIAuth On
> SSPIAuthoritative Off
> SSPIDomain OURDOMAIN
> #SSPIOmitDomain on
> #SSPIUsernameCase lower
> #SSPIPerRequestAuth on
> SSPIOfferBasic On
>
> Require valid-user
> #SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
>
> SVNPathAuthz Off
> #AuthzSVNAccessFile c:\SVN\conf\svnaccessfile
> </Location>
>
>
Excellent! Thanks for posting back and letting us all know what worked!
Regards,
Frank
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=982054
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: Multiple authentication sources
Posted by Frank Gruman <fg...@verizon.net>.
On Mon, 2008-12-08 at 11:24 +0900, Craig McQueen wrote:
>
>
> Frank Gruman wrote:
> > On Fri, 2008-12-05 at 13:29 -0600, Alec Kloss wrote:
> >
> > > On 2008-12-05 10:55, Craig McQueen wrote:
> > >
> > I've successfully implemented multiple authentication sources, but I
> > believe the current limitation (until Apache 2.3/2.4 is released) is
> > that they must all be of the same type (AuthType Basic or AuthType
> > SSPI). In my case, I was able to do basic authentication with a file
> > and LDAP.
> >
> > But I thought it would still be possible. I found a sample config here
> > -
> > http://osdir.com/ml/version-control.subversion.ankhsvn.general/2006-04/msg00037.html
> >
> >
> > <Location /svn/>
> > DAV svn
> > SVNParentPath "/srv/svn/my_projects"
> >
> > AuthName "Subversion Repositories"
> > Require valid-user #this is all authenticated users on
> > domain
> > AuthAuthoritative Off #enables multiple authorities
> >
> > AuthType SSPI
> > SSPIAuth On
> > SSPIAuthoritative Off
> > #SSPIAuthoritative On - Forces only SSPI auth, skips passwd
> > file
> > SSPIOmitDomain On
> > SSPIDomain MY_AD_DOMAIN
> > SSPIOfferBasic On
> >
> > AuthType Basic
> > AuthUserFile "/srv/svn/auth/basic_users"
> >
> > AuthzSVNAccessFile "/srv/svn/auth/svn_users"
> >
> > </Location>
> >
> > Regards,
> > Frank
> >
> That configuration looks like it's good for Apache 2.0, but not 2.2.
> The "AuthAuthoritative" directive is no longer used in 2.2. My
> configuration looks very similar to that, except that instead of
> AuthAuthoritative, I have AuthBasicAuthoritative. But it doesn't work,
> as I previously described. Does anyone have a configuration that works
> specifically on Apache 2.2?
>
> Regards,
> Craig McQueen
>
>
>
Ahh - so right you are on the version - sorry for wasting your cycles...
Could you post the relevant portion of your config file for us to look
at? The only thing that I can really see that mattered in the notes on
the link you provided in your original post is to make sure to specify
that neither authentication mechanism is to be authoritative. Had I not
read the instructions twice (or thrice) I would have missed that in my
own configuration.
At the very least, if you can't see the issue perhaps another on the
list will see the nefarious command keeping you from your goals.
Regards,
Frank
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=981020
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: Multiple authentication sources
Posted by Craig McQueen <mc...@edsrd1.yzk.co.jp>.
Frank Gruman wrote:
> On Fri, 2008-12-05 at 13:29 -0600, Alec Kloss wrote:
>
>> On 2008-12-05 10:55, Craig McQueen wrote:
>>
> I've successfully implemented multiple authentication sources, but I
> believe the current limitation (until Apache 2.3/2.4 is released) is
> that they must all be of the same type (AuthType Basic or AuthType
> SSPI). In my case, I was able to do basic authentication with a file
> and LDAP.
>
> But I thought it would still be possible. I found a sample config here
> -
> http://osdir.com/ml/version-control.subversion.ankhsvn.general/2006-04/msg00037.html
>
>
> <Location /svn/>
> DAV svn
> SVNParentPath "/srv/svn/my_projects"
>
> AuthName "Subversion Repositories"
> Require valid-user #this is all authenticated users on
> domain
> AuthAuthoritative Off #enables multiple authorities
>
> AuthType SSPI
> SSPIAuth On
> SSPIAuthoritative Off
> #SSPIAuthoritative On - Forces only SSPI auth, skips passwd
> file
> SSPIOmitDomain On
> SSPIDomain MY_AD_DOMAIN
> SSPIOfferBasic On
>
> AuthType Basic
> AuthUserFile "/srv/svn/auth/basic_users"
>
> AuthzSVNAccessFile "/srv/svn/auth/svn_users"
>
> </Location>
>
> Regards,
> Frank
>
That configuration looks like it's good for Apache 2.0, but not 2.2. The
"AuthAuthoritative" directive is no longer used in 2.2. My configuration
looks very similar to that, except that instead of AuthAuthoritative, I
have AuthBasicAuthoritative. But it doesn't work, as I previously
described. Does anyone have a configuration that works specifically on
Apache 2.2?
Regards,
Craig McQueen
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=981001
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: Multiple authentication sources
Posted by Frank Gruman <fg...@verizon.net>.
On Fri, 2008-12-05 at 13:29 -0600, Alec Kloss wrote:
> On 2008-12-05 10:55, Craig McQueen wrote:
> > Hello all,
> >
> > The following doc says that a Windows Apache server can be set up to
> > authenticate against both Windows SSPI and a password file:
> > http://tortoisesvn.net/docs/nightly/TortoiseSVN_en/help-onepage.html#tsvn-serversetup-apache-6
> >
> > I'm trying to get this working on a Windows Apache 2.2 server, but
> > without success. SSPI works on its own, and the password file works on
> > its own. But if I try to use both together, as described, then
> > authenticating against the SSPI works but authenticating against the
> > password file fails.
> >
> > I'm wondering: does this solution simply not work on Apache 2.2.x due to
> > changes to the authentication/authorization setup in Apache 2.2.x?
> >
> > I'm interested to know if anyone else has tried this on Apache 2.2.x,
> > and if you ended in success or failure.
>
> I've never been able to make Apache 2.2 authenticate against multiple
> auth modules at the same time without patching mod_auth_basic and
> usually the other authentication module as well.
>
> I'd be very curious to know how people get this to work without patching
> apache.
>
> --
> Alec.Kloss@oracle.com Oracle Middleware
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956
>
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=980286
>
> To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
I've successfully implemented multiple authentication sources, but I
believe the current limitation (until Apache 2.3/2.4 is released) is
that they must all be of the same type (AuthType Basic or AuthType
SSPI). In my case, I was able to do basic authentication with a file
and LDAP.
But I thought it would still be possible. I found a sample config here
-
http://osdir.com/ml/version-control.subversion.ankhsvn.general/2006-04/msg00037.html
<Location /svn/>
DAV svn
SVNParentPath "/srv/svn/my_projects"
AuthName "Subversion Repositories"
Require valid-user #this is all authenticated users on
domain
AuthAuthoritative Off #enables multiple authorities
AuthType SSPI
SSPIAuth On
SSPIAuthoritative Off
#SSPIAuthoritative On - Forces only SSPI auth, skips passwd
file
SSPIOmitDomain On
SSPIDomain MY_AD_DOMAIN
SSPIOfferBasic On
AuthType Basic
AuthUserFile "/srv/svn/auth/basic_users"
AuthzSVNAccessFile "/srv/svn/auth/svn_users"
</Location>
Regards,
Frank
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=980424
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: Multiple authentication sources
Posted by Alec Kloss <al...@oracle.com>.
On 2008-12-05 10:55, Craig McQueen wrote:
> Hello all,
>
> The following doc says that a Windows Apache server can be set up to
> authenticate against both Windows SSPI and a password file:
> http://tortoisesvn.net/docs/nightly/TortoiseSVN_en/help-onepage.html#tsvn-serversetup-apache-6
>
> I'm trying to get this working on a Windows Apache 2.2 server, but
> without success. SSPI works on its own, and the password file works on
> its own. But if I try to use both together, as described, then
> authenticating against the SSPI works but authenticating against the
> password file fails.
>
> I'm wondering: does this solution simply not work on Apache 2.2.x due to
> changes to the authentication/authorization setup in Apache 2.2.x?
>
> I'm interested to know if anyone else has tried this on Apache 2.2.x,
> and if you ended in success or failure.
I've never been able to make Apache 2.2 authenticate against multiple
auth modules at the same time without patching mod_auth_basic and
usually the other authentication module as well.
I'd be very curious to know how people get this to work without patching
apache.
--
Alec.Kloss@oracle.com Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=980286
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].