You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Scott Palmer <Sc...@digital-rapids.com> on 2008/05/01 18:20:38 UTC
svnserve authenticating against Windows domain credentials
I've been swearing for the last few hours at the horrendous
documentation for SASL and how to use it with svnserve.
Please somebody put me out of my misery.
I want our users to provide their windows domain login credentials to
access subversion via svn://
So far I know to put this:
[sasl]
use-sasl = true
in my svnserve.conf file.
Then it seems I need a subversion.conf file somewhere.. I think on a
standard windows install of the subversion server components this is
supposed to go beside the SASL DLLs e.g. beside libsasl.dll,
svnserve.exe, etc.
But I havent' the foggiest idea what should go in the SASL config file
(subversion.conf). The SASL documentation is useless. Lots of charts
about what can go on the left side of the =, but basically zero
information about what you might want to put on the right side of the
"=".
Am I out to lunch thinking that this would be the most sought after
method for using svn:// in a Windows environment?
I don't want to use Apache since I'm not interested in bloating my
source control system with a web server and dealing with the
configuration of it as well.
Re: svnserve authenticating against Windows domain credentials
Posted by km...@rockwellcollins.com.
"Mark Phippard" <ma...@gmail.com> wrote on 05/02/2008 08:42:16 AM:
> On Fri, May 2, 2008 at 9:39 AM, <km...@rockwellcollins.com> wrote:
> >
> > "Scott Palmer" <Sc...@digital-rapids.com> wrote on 05/02/2008 08:05:31
AM:
> >
> > > It seems so obvious that it really should be a simple selection in
the
> > > Windows installer for the subversion 1.5 server.
> > >
> > > "Use domain authentication" - Check!
> >
> > The VisualSVN server install for windows does just this!
>
> I was under the impression it was only done for Apache servers? You
> are saying it also does it for svnserve using SASL? I did not see
> anything in the SASL documentation that implies there is a supported
> plugin for Windows authentication.
Yeah, I missed the svnserve part since we don't use it. I believe
it is apache only at this point.
Kevin R.
Re: svnserve authenticating against Windows domain credentials
Posted by km...@rockwellcollins.com.
"Mark Phippard" <ma...@gmail.com> wrote on 05/02/2008 10:03:53 AM:
> On Fri, May 2, 2008 at 10:37 AM, <km...@rockwellcollins.com> wrote:
> >
> > "Mark Phippard" <ma...@gmail.com> wrote on 05/02/2008 09:09:41 AM:
> > > On Fri, May 2, 2008 at 10:04 AM, Scott Palmer
<Sc...@digital-rapids.com>
> > wrote:
> > > > Where do the docs state that LDAP and Kerberos aren't supported
on
> > > > Windows?
> > >
> > > http://www.sendmail.org/~ca/email/cyrus2/windows.html
> >
> > Ok, I've already made one bad assumption/misread in this thread, so
why
> > stop there...
> >
> > How about this: http://wiki.mozilla.org/LDAP_C_SDK_SASL_Windows
>
> Unfortunately that is an LDAP client that has instructions for
> building in SASL so that you can use it to authenticate with the
> server. In other words, it is just something using SASL, it is not
> implementing an LDAP authorization provider.
Ah, that is the part I was missing. I was thinking svnserve only
needed to be a client...
I'll go back to my blissful state of ignorance now... :)
Kevin R.
Re: svnserve authenticating against Windows domain credentials
Posted by Mark Phippard <ma...@gmail.com>.
On Fri, May 2, 2008 at 10:37 AM, <km...@rockwellcollins.com> wrote:
>
> "Mark Phippard" <ma...@gmail.com> wrote on 05/02/2008 09:09:41 AM:
> > On Fri, May 2, 2008 at 10:04 AM, Scott Palmer <Sc...@digital-rapids.com>
> wrote:
> > > Where do the docs state that LDAP and Kerberos aren't supported on
> > > Windows?
> >
> > http://www.sendmail.org/~ca/email/cyrus2/windows.html
>
> Ok, I've already made one bad assumption/misread in this thread, so why
> stop there...
>
> How about this: http://wiki.mozilla.org/LDAP_C_SDK_SASL_Windows
Unfortunately that is an LDAP client that has instructions for
building in SASL so that you can use it to authenticate with the
server. In other words, it is just something using SASL, it is not
implementing an LDAP authorization provider.
> Can GNU SASL be used instead? : http://www.gnu.org/software/gsasl/
> Win32 pre-built:
> http://sourceforge.net/project/showfiles.php?group_id=145682&package_id=211655
It cannot be used as-is. Subversion would have to be configured to
use the function names and header files that it provides. SASL is a
protocol specification, not a library specification. So Subversion is
written against a specific SASL implementation -- Cyrus SASL.
RE: svnserve authenticating against Windows domain credentials
Posted by Scott Palmer <Sc...@digital-rapids.com>.
> -----Original Message-----
> From: Mark Phippard
> Sent: May 2, 2008 11:24 AM
> To: Scott Palmer
> Subject: Re: svnserve authenticating against Windows domain
credentials
>
> On Fri, May 2, 2008 at 11:22 AM, Scott Palmer <Scott@digital-
> rapids.com> wrote:
> > I can't change the access protocol without breaking the existing
> > svn:externals. It's that simple. That's the main reason that
> relative
> > URLs in Subversion 1.5 is such an important feature... but sadly we
> > can't rewrite the revisions that are already in the repo. to use
> > relative URLs
>
> You can still run a read-only svnserve server so that the externals
> can be retrieved. You could also make a branch from the old revision
> and then update the externals in HEAD.
I guess we could do that for build purposes. But can we do that to get
a working copy checked out to make the branch you speak of? It seems to
lead to a chicken & egg scenario.
It would also be a lot of work to track down where all the svn:externals
are used... I guess some fancy coding could automate the process
though...
Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authenticating against Windows domain credentials
Posted by Mark Phippard <ma...@gmail.com>.
On Fri, May 2, 2008 at 11:22 AM, Scott Palmer <Sc...@digital-rapids.com> wrote:
> I can't change the access protocol without breaking the existing
> svn:externals. It's that simple. That's the main reason that relative
> URLs in Subversion 1.5 is such an important feature... but sadly we
> can't rewrite the revisions that are already in the repo. to use
> relative URLs
You can still run a read-only svnserve server so that the externals
can be retrieved. You could also make a branch from the old revision
and then update the externals in HEAD.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svnserve authenticating against Windows domain credentials
Posted by Scott Palmer <Sc...@digital-rapids.com>.
> -----Original Message-----
> From: John Peacock [mailto:john.peacock@havurah-software.org]
> Sent: May 2, 2008 2:20 PM
> To: Scott Palmer
> Subject: Re: svnserve authenticating against Windows domain
credentials
>
...
> I think you may have some misconceptions
> about Apache with regards to Subversion. There is no reason to
> consider
> Subversion over Apache as anything other than a different way to
access
> the repo (i.e. it isn't a full featured web server, but merely a
> service
> that happens to use http as the transport method)...
So I gave it a try. I installed Apache as a service using the supplied
installer for 1.5RC4. I left everything at defaults except I changed
the drive letter for the repo from C: to D: because I had already
created a repository there for testing svnserve. I started the
services. I am not encouraged by the results.
C:\>svn ls http://localhost/
svn: Server sent unexpected return value (405 Method Not Allowed) in
response to
PROPFIND request for '/'
C:\>svn ls http://localhost/svn
svn: Server sent unexpected return value (403 Forbidden) in response to
OPTIONS
request for 'http://localhost/svn'
The log files indicate:
[Fri May 02 15:26:56 2008] [notice] Apache/2.2.8 (Win32) DAV/2
SVN/1.5.0-rc4 configured -- resuming normal operations
[Fri May 02 15:26:56 2008] [notice] Server built: Apr 24 2008 15:36:04
[Fri May 02 15:26:56 2008] [notice] Parent: Created child process 6036
[Fri May 02 15:26:56 2008] [notice] Child 6036: Child process is running
[Fri May 02 15:26:56 2008] [notice] Child 6036: Acquired the start
mutex.
[Fri May 02 15:26:56 2008] [notice] Child 6036: Starting 250 worker
threads.
[Fri May 02 15:26:56 2008] [notice] Child 6036: Starting thread to
listen on port 80.
[Fri May 02 15:27:31 2008] [error] [client 127.0.0.1] Could not fetch
resource information. [403, #0]
[Fri May 02 15:27:31 2008] [error] [client 127.0.0.1] The URI does not
contain the name of a repository. [403, #190001]
[Fri May 02 15:27:39 2008] [error] [client 127.0.0.1] Could not fetch
resource information. [403, #0]
[Fri May 02 15:27:39 2008] [error] [client 127.0.0.1] The URI does not
contain the name of a repository. [403, #190001]
Sigh... this is why pulling in Apache is more trouble than it's worth...
The svnserve version is accessing the repo without a problem.
C:\>svn ls svn://localhost/
trunk/
Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svnserve authenticating against Windows domain credentials
Posted by Scott Palmer <Sc...@digital-rapids.com>.
> -----Original Message-----
> From: John Peacock [mailto:john.peacock@havurah-software.org]
> Sent: May 2, 2008 2:20 PM
> To: Scott Palmer
> Cc: users@subversion.tigris.org
> Subject: Re: svnserve authenticating against Windows domain
credentials
>
> Scott Palmer wrote:
> > I don't want webdav. I don't need it and have no use for it.
>
> I meant the Apache server.
>
> > Of course I also don't understand how step 2 requires it. I don't
> have
> > to do a recursive checkout to change the properties on a folder.
>
> You don't need it to perform step 2, but you would need it if you went
> this route.
>
> > "Can't" was maybe too strong a word. It's just not all that simple.
>
> It's also much easier than you probably realize. You don't need to
> create tags, etc, you only need to change the URL from svn:// to
> http://
> (assuming the rest of the URL is the same). It would be not all that
> difficult to write something to walk the repository and update the
> svn:externals properties, pegged revisions and all.
There is more to change than the url protocol.
Consider that if I leave the pinned revision in place, the url,
regardless of the protocol used in the HEAD revision, is referring to
place in the repository from a point in time BEFORE I changed the
protocol of the URLs. Any pinned branch that has svn:external
references within it will be broken.
> > I don't know how strongly I have to say it... I DON'T WANT A WEB
> SERVER,
> > Seriously.
> > A full-featured web server is simply superfluous.
>
> Except for the part where it works with Windows *now*, without any
> difficulty.
See above for an example of the difficulty involved in switching access
methods.
If it was a simple change I would consider the extra burden of dealing
with Apache in addition to subversion.
> I think you may have some misconceptions
> about Apache with regards to Subversion. There is no reason to
> consider
> Subversion over Apache as anything other than a different way to
access
> the repo (i.e. it isn't a full featured web server, but merely a
> service
> that happens to use http as the transport method)...
Re: svnserve authenticating against Windows domain credentials
Posted by John Peacock <jo...@havurah-software.org>.
Scott Palmer wrote:
> I don't want webdav. I don't need it and have no use for it.
I meant the Apache server.
> Of course I also don't understand how step 2 requires it. I don't have
> to do a recursive checkout to change the properties on a folder.
You don't need it to perform step 2, but you would need it if you went
this route.
> "Can't" was maybe too strong a word. It's just not all that simple.
It's also much easier than you probably realize. You don't need to
create tags, etc, you only need to change the URL from svn:// to http://
(assuming the rest of the URL is the same). It would be not all that
difficult to write something to walk the repository and update the
svn:externals properties, pegged revisions and all.
> I don't know how strongly I have to say it... I DON'T WANT A WEB SERVER,
> Seriously.
> A full-featured web server is simply superfluous.
Except for the part where it works with Windows *now*, without any
difficulty. Suit yourself; I think you may have some misconceptions
about Apache with regards to Subversion. There is no reason to consider
Subversion over Apache as anything other than a different way to access
the repo (i.e. it isn't a full featured web server, but merely a service
that happens to use http as the transport method)...
John
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svnserve authenticating against Windows domain credentials
Posted by Scott Palmer <Sc...@digital-rapids.com>.
> -----Original Message-----
> From: John Peacock [mailto:john.peacock@havurah-software.org]
> Sent: May 2, 2008 11:54 AM
> To: Scott Palmer
> Cc: Greg Thomas; users@subversion.tigris.org
> Subject: Re: svnserve authenticating against Windows domain
credentials
>
> Scott Palmer wrote:
> > I can't change the access protocol without breaking the existing
> > svn:externals. It's that simple.
>
> Why? svn:externals is merely a property that can be edited at any
time
> to change what path it points at. The sequence would be:
>
> 1) set up webdav server and confirm that it is working;
I don't want webdav. I don't need it and have no use for it. (With the
obvious exception of following these instructions.)
Of course I also don't understand how step 2 requires it. I don't have
to do a recursive checkout to change the properties on a folder.
> 2) change the svn:externals to point to the new server and update a
> working copy and make sure that works (the main WC files will still be
> accessed via svn://);
This is non-trivial. There are several places where svn:externals are
"pinned" to a particular revision for example. If there are additional
svn:externals under that branch of the source tree then the pinned
revision has to be moved to a tag, etc.
"Can't" was maybe too strong a word. It's just not all that simple.
> Seriously, if you are doing anything with Windows authentication, the
> Apache support is much more mature (and works today without waiting
for
> 1.5.0)...
I don't know how strongly I have to say it... I DON'T WANT A WEB SERVER,
Seriously.
A full-featured web server is simply superfluous.
I did think of something.. but I don't know if it is reasonable. Is it
possible to tweak the URLs I the svn:externals properties as part of a
dump/restore
Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authenticating against Windows domain credentials
Posted by John Peacock <jo...@havurah-software.org>.
Scott Palmer wrote:
> I can't change the access protocol without breaking the existing
> svn:externals. It's that simple.
Why? svn:externals is merely a property that can be edited at any time
to change what path it points at. The sequence would be:
1) set up webdav server and confirm that it is working;
2) change the svn:externals to point to the new server and update a
working copy and make sure that works (the main WC files will still be
accessed via svn://);
3) use 'svn switch --relocate' to rewrite the working copies to point to
the http:// instance
Seriously, if you are doing anything with Windows authentication, the
Apache support is much more mature (and works today without waiting for
1.5.0)...
John
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svnserve authenticating against Windows domain credentials
Posted by Scott Palmer <Sc...@digital-rapids.com>.
I can't change the access protocol without breaking the existing
svn:externals. It's that simple. That's the main reason that relative
URLs in Subversion 1.5 is such an important feature... but sadly we
can't rewrite the revisions that are already in the repo. to use
relative URLs
I also don't want to bother with a full-blown web server for my source
control system. I'm not trying to be YASF (Yet Another Source Forge)...
Running a web server opens a can of worms I would rather not deal with.
If it was a solution I might consider it, but it can't solve the problem
in suitable way.
Scott
-----Original Message-----
From: Greg Thomas
Sent: May 2, 2008 11:17 AM
To: Scott Palmer
Subject: Re: svnserve authenticating against Windows domain credentials
On Fri, 2 May 2008 10:45:42 -0400, "Scott Palmer"
<Sc...@digital-rapids.com> wrote:
>Unless another option is found for snvserve we simply have to live with
>no reasonable form of authentication on Windows.
I'm assuming http(s) is not possible, as
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html works well
for me against Active Directory.
Greg
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authenticating against Windows domain credentials
Posted by Greg Thomas <th...@omc.bt.co.uk>.
On Fri, 2 May 2008 10:45:42 -0400, "Scott Palmer"
<Sc...@digital-rapids.com> wrote:
>Unless another option is found for snvserve we simply have to live with
>no reasonable form of authentication on Windows.
I'm assuming http(s) is not possible, as
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html works well
for me against Active Directory.
Greg
--
This post represents the views of the author and does
not necessarily accurately represent the views of BT.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svnserve authenticating against Windows domain credentials
Posted by Scott Palmer <Sc...@digital-rapids.com>.
Based on the dates found in the SASL source code (which is sadly where
the documentation is buried for Subversion "users"), the project has
been dead for years.
This simply isn't going to happen.
I've been told "it isn't worth it" when suggesting a Linux server.. it
would complicate our backup process amoung other headaches.
Moving to Apache will break our projects because we use svn:externals to
pull together product workspaces from the various semi-independent
projects in the repository. Even though 1.5 allows us to use the
repo-relative URLs in svn:externals.. it means we wouldn't be able to
checkout any old versions of our software.
Unless another option is found for snvserve we simply have to live with
no reasonable form of authentication on Windows.
Regards,
Scott
-----Original Message-----
From: Mark PhippardSent: May 2, 2008 10:35 AM
To: Scott Palmer
Subject: Re: svnserve authenticating against Windows domain credentials
...
I'd suspect the LDAP back-end could be made to work with Windows, but
as you say the docs suck so it will take someone that wants to spend
the time to understand the code and port it all to build and work on
Windows.
...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authenticating against Windows domain credentials
Posted by Mark Phippard <ma...@gmail.com>.
On Fri, May 2, 2008 at 10:22 AM, Scott Palmer <Sc...@digital-rapids.com> wrote:
> Like I said, the docs suck. I can't make heads or tails of
> windows.html. Too me it looks like at least GSSAPI is supported and I
> thought that was the key to working with LDAP/Kerberos.
It says GSSAPI has been tested using CyberSafe, which is a commercial
product. So no one is going to be able to create and distribute
binaries that use it.
> NTLM I thought was the same stuff that was used to authenticate with
> Windows domains for file sharing on Mac/Linux boxes via Samba.
> Apparently there is more too it.
NTLM, Kerberos, CRAM-MD5, DIGEST-MD5 are all ways for clients and
server to negotiate authentication credentials with each other. They
do not directly speak to what that back end "store" is which the
server is using the validate the credentials.
Windows clients used to only support NTLM as the way they
authenticated with file shares, which is why things like Samba needed
to support it.
I'd suspect the LDAP back-end could be made to work with Windows, but
as you say the docs suck so it will take someone that wants to spend
the time to understand the code and port it all to build and work on
Windows.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svnserve authenticating against Windows domain credentials
Posted by Scott Palmer <Sc...@digital-rapids.com>.
Like I said, the docs suck. I can't make heads or tails of
windows.html. Too me it looks like at least GSSAPI is supported and I
thought that was the key to working with LDAP/Kerberos.
NTLM I thought was the same stuff that was used to authenticate with
Windows domains for file sharing on Mac/Linux boxes via Samba.
Apparently there is more too it.
The only thing I'm learning here is that this has been made deliberately
obtuse by people that want job security :-)
It's amazing that I can use (nearly) any browser on any platform to
securely access my bank records, but if I want to authenticate against a
domain login on Windows.. suddenly that's hard. :-)
I guess it's time to give up, or perhaps install a Linux server for our
source control. (You say it's relatively easy... but I still bet I
have to pull out a text editor and twiddle configuration files - the
unix community doesn't understand the concept of user-friendly software)
Thanks for your help.
Scott
-----Original Message-----
From: Mark Phippard [mailto:markphip@gmail.com]
Sent: May 2, 2008 10:10 AM
To: Scott Palmer
Cc: users@subversion.tigris.org
Subject: Re: svnserve authenticating against Windows domain credentials
On Fri, May 2, 2008 at 10:04 AM, Scott Palmer <Sc...@digital-rapids.com>
wrote:
> Where do the docs state that LDAP and Kerberos aren't supported on
> Windows?
http://www.sendmail.org/~ca/email/cyrus2/windows.html
> The docs for SASL are such a complete mess that I admit I
> could hardly follow anything in them.
> Regardless.. if I have to resport to NTLM it should do the trick..
> otherwise why include it at all?
NTLM is not what you think it is. It has nothing to do with
authenticating against your Windows usernames. NTLM is an
authentication mechanism, like CRAM-MD5. In other words, it is a
specific way of doing a challenge/response.
http://en.wikipedia.org/wiki/NTLM
NTLM support in SASL is also not recommended (because DIGEST-MD5 is
better). Anyway, the point is that NTLM does not address the need to
authenticate using your Windows usernames.
The ironic thing here, is that a Linux server can be relatively easily
configured to use LDAP against your Active Directory.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authenticating against Windows domain credentials
Posted by km...@rockwellcollins.com.
"Mark Phippard" <ma...@gmail.com> wrote on 05/02/2008 09:09:41 AM:
> On Fri, May 2, 2008 at 10:04 AM, Scott Palmer <Sc...@digital-rapids.com>
wrote:
> > Where do the docs state that LDAP and Kerberos aren't supported on
> > Windows?
>
> http://www.sendmail.org/~ca/email/cyrus2/windows.html
Ok, I've already made one bad assumption/misread in this thread, so why
stop there...
How about this: http://wiki.mozilla.org/LDAP_C_SDK_SASL_Windows
Can GNU SASL be used instead? : http://www.gnu.org/software/gsasl/
Win32 pre-built:
http://sourceforge.net/project/showfiles.php?group_id=145682&package_id=211655
I'm fairly ignorant on SASL, but it does seem quite ironic that
it is harder to authenticate against windows on windows than it is
on authenticate against windows on unix...
Kevin R.
> > The docs for SASL are such a complete mess that I admit I
> > could hardly follow anything in them.
> > Regardless.. if I have to resport to NTLM it should do the trick..
> > otherwise why include it at all?
>
> NTLM is not what you think it is. It has nothing to do with
> authenticating against your Windows usernames. NTLM is an
> authentication mechanism, like CRAM-MD5. In other words, it is a
> specific way of doing a challenge/response.
>
> http://en.wikipedia.org/wiki/NTLM
>
> NTLM support in SASL is also not recommended (because DIGEST-MD5 is
> better). Anyway, the point is that NTLM does not address the need to
> authenticate using your Windows usernames.
>
> The ironic thing here, is that a Linux server can be relatively easily
> configured to use LDAP against your Active Directory.
>
> --
> Thanks
>
> Mark Phippard
> http://markphip.blogspot.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
Re: svnserve authenticating against Windows domain credentials
Posted by Mark Phippard <ma...@gmail.com>.
On Fri, May 2, 2008 at 10:04 AM, Scott Palmer <Sc...@digital-rapids.com> wrote:
> Where do the docs state that LDAP and Kerberos aren't supported on
> Windows?
http://www.sendmail.org/~ca/email/cyrus2/windows.html
> The docs for SASL are such a complete mess that I admit I
> could hardly follow anything in them.
> Regardless.. if I have to resport to NTLM it should do the trick..
> otherwise why include it at all?
NTLM is not what you think it is. It has nothing to do with
authenticating against your Windows usernames. NTLM is an
authentication mechanism, like CRAM-MD5. In other words, it is a
specific way of doing a challenge/response.
http://en.wikipedia.org/wiki/NTLM
NTLM support in SASL is also not recommended (because DIGEST-MD5 is
better). Anyway, the point is that NTLM does not address the need to
authenticate using your Windows usernames.
The ironic thing here, is that a Linux server can be relatively easily
configured to use LDAP against your Active Directory.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svnserve authenticating against Windows domain credentials
Posted by Scott Palmer <Sc...@digital-rapids.com>.
Where do the docs state that LDAP and Kerberos aren't supported on
Windows? The docs for SASL are such a complete mess that I admit I
could hardly follow anything in them.
Regardless.. if I have to resport to NTLM it should do the trick..
otherwise why include it at all?
Scott
-----Original Message-----
From: Mark Phippard
Sent: May 2, 2008 10:01 AM
Subject: Re: svnserve authenticating against Windows domain credentials
On Fri, May 2, 2008 at 9:56 AM, Scott Palmer <Sc...@digital-rapids.com>
wrote:
> SASL claims LDAP and Kerberos support.. that should be enough. Though
> the SASL project clearly doesn't care much about the Windows
platform.
> It would be strange for SASL (or svnserver for that matter) on
windows
> to not support the primary means of authenticating users on Windows -
> what would be the point?
But the SASL docs specifically state these are not supported on
Windows. If you can get them working let me know.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authenticating against Windows domain credentials
Posted by Mark Phippard <ma...@gmail.com>.
On Fri, May 2, 2008 at 9:56 AM, Scott Palmer <Sc...@digital-rapids.com> wrote:
> SASL claims LDAP and Kerberos support.. that should be enough. Though
> the SASL project clearly doesn't care much about the Windows platform.
> It would be strange for SASL (or svnserver for that matter) on windows
> to not support the primary means of authenticating users on Windows -
> what would be the point?
But the SASL docs specifically state these are not supported on
Windows. If you can get them working let me know.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svnserve authenticating against Windows domain credentials
Posted by Scott Palmer <Sc...@digital-rapids.com>.
SASL claims LDAP and Kerberos support.. that should be enough. Though
the SASL project clearly doesn't care much about the Windows platform.
It would be strange for SASL (or svnserver for that matter) on windows
to not support the primary means of authenticating users on Windows -
what would be the point?
I currently have every one of the developers use the same password..
since it can't be tied to their domain login anyway, and it makes no
sense to put their "real" password in a plain text file, and there is no
way for them to change their own password. Yet STILL they always have to
ask me what it is!
Scott
-----Original Message-----
From: Mark Phippard [mailto:markphip@gmail.com]
Sent: May 2, 2008 9:42 AM
To: kmradke@rockwellcollins.com
Cc: Scott Palmer; si; users@subversion.tigris.org
Subject: Re: svnserve authenticating against Windows domain credentials
On Fri, May 2, 2008 at 9:39 AM, <km...@rockwellcollins.com> wrote:
>
> "Scott Palmer" <Sc...@digital-rapids.com> wrote on 05/02/2008 08:05:31
AM:
>
> > It seems so obvious that it really should be a simple selection in
the
> > Windows installer for the subversion 1.5 server.
> >
> > "Use domain authentication" - Check!
>
> The VisualSVN server install for windows does just this!
I was under the impression it was only done for Apache servers? You
are saying it also does it for svnserve using SASL? I did not see
anything in the SASL documentation that implies there is a supported
plugin for Windows authentication.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authenticating against Windows domain credentials
Posted by Mark Phippard <ma...@gmail.com>.
On Fri, May 2, 2008 at 9:39 AM, <km...@rockwellcollins.com> wrote:
>
> "Scott Palmer" <Sc...@digital-rapids.com> wrote on 05/02/2008 08:05:31 AM:
>
> > It seems so obvious that it really should be a simple selection in the
> > Windows installer for the subversion 1.5 server.
> >
> > "Use domain authentication" - Check!
>
> The VisualSVN server install for windows does just this!
I was under the impression it was only done for Apache servers? You
are saying it also does it for svnserve using SASL? I did not see
anything in the SASL documentation that implies there is a supported
plugin for Windows authentication.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svnserve authenticating against Windows domain credentials
Posted by km...@rockwellcollins.com.
kmradke@rockwellcollins.com wrote on 05/02/2008 08:39:05 AM:
> "Scott Palmer" <Sc...@digital-rapids.com> wrote on 05/02/2008 08:05:31
AM:
> > It seems so obvious that it really should be a simple selection in the
> > Windows installer for the subversion 1.5 server.
> >
> > "Use domain authentication" - Check!
>
> The VisualSVN server install for windows does just this! You can
> even set per directory permissions using Windows groups using
> a GUI management console. (This is in the beta, but I'm sure
> will be officially released when 1.5 is released.)
>
> http://www.visualsvn.com/server/
Not sure if it supports svnserve though, since it includes apache...
Kevin R.
RE: svnserve authenticating against Windows domain credentials
Posted by km...@rockwellcollins.com.
"Scott Palmer" <Sc...@digital-rapids.com> wrote on 05/02/2008 08:05:31 AM:
> It seems so obvious that it really should be a simple selection in the
> Windows installer for the subversion 1.5 server.
>
> "Use domain authentication" - Check!
The VisualSVN server install for windows does just this! You can
even set per directory permissions using Windows groups using
a GUI management console. (This is in the beta, but I'm sure
will be officially released when 1.5 is released.)
http://www.visualsvn.com/server/
Too bad we don't have something similar for solaris...
Kevin R.
RE: svnserve authenticating against Windows domain credentials
Posted by Scott Palmer <Sc...@digital-rapids.com>.
It seems so obvious that it really should be a simple selection in the Windows installer for the subversion 1.5 server.
"Use domain authentication" - Check!
Scott
-----Original Message-----
From: si [mailto:sshnug.si@gmail.com]
Sent: May 2, 2008 2:32 AM
To: Scott Palmer
Cc: users@subversion.tigris.org
Subject: Re: svnserve authenticating against Windows domain credentials
Hey Scott,
> Am I out to lunch thinking that this would be the most sought after method
> for using svn:// in a Windows environment?
You're not alone. There are plenty of us eagerly waiting for this.
Sorry I can't be of direct help, I've been waiting for official
release before diving in, but here's an older thread which may help?
http://svn.haxx.se/users/archive-2008-03/0981.shtml
Also a request for improved documentation:
http://svn.haxx.se/users/archive-2008-02/0341.shtml
Regardless, I was planning on submitting a patch to the svnserve docs
on TortoiseSVN to help with windows authentication through SASL. So
Scott, or anyone, please report your progress...it looks like Simon
and/or Lübbe have already warmed up a spot for such documentation :)
http://tortoisesvn.net/docs/nightly/TortoiseSVN_en/tsvn-serversetup-svnserve.html#tsvn-serversetup-svnserve-sasl
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authenticating against Windows domain credentials
Posted by si <ss...@gmail.com>.
Hey Scott,
> Am I out to lunch thinking that this would be the most sought after method
> for using svn:// in a Windows environment?
You're not alone. There are plenty of us eagerly waiting for this.
Sorry I can't be of direct help, I've been waiting for official
release before diving in, but here's an older thread which may help?
http://svn.haxx.se/users/archive-2008-03/0981.shtml
Also a request for improved documentation:
http://svn.haxx.se/users/archive-2008-02/0341.shtml
Regardless, I was planning on submitting a patch to the svnserve docs
on TortoiseSVN to help with windows authentication through SASL. So
Scott, or anyone, please report your progress...it looks like Simon
and/or Lübbe have already warmed up a spot for such documentation :)
http://tortoisesvn.net/docs/nightly/TortoiseSVN_en/tsvn-serversetup-svnserve.html#tsvn-serversetup-svnserve-sasl
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svnserve authenticating against Windows domain credentials
Posted by Scott Palmer <Sc...@digital-rapids.com>.
I know it will require 1.5. I am testing 1.5 RC4. Sorry I forgot to
mention that!
From: Harvey, Edward [mailto:Edward.Harvey@patni.com]
Sent: May 2, 2008 8:05 AM
To: Scott Palmer; users@subversion.tigris.org
Subject: RE: svnserve authenticating against Windows domain credentials
You should be using Kerberos. It's not supported till 1.5 is released,
which could be any time now.
Until then, svnserve can only do plain-text local files for passwords.
But apache can do Kerberos/ldap/whatever.
From: Scott Palmer [mailto:Scott@digital-rapids.com]
Sent: Thursday, May 01, 2008 2:21 PM
To: users@subversion.tigris.org
Subject: svnserve authenticating against Windows domain credentials
I've been swearing for the last few hours at the horrendous
documentation for SASL and how to use it with svnserve.
Please somebody put me out of my misery.
I want our users to provide their windows domain login credentials to
access subversion via svn://
So far I know to put this:
[sasl]
use-sasl = true
in my svnserve.conf file.
Then it seems I need a subversion.conf file somewhere.. I think on a
standard windows install of the subversion server components this is
supposed to go beside the SASL DLLs e.g. beside libsasl.dll,
svnserve.exe, etc.
But I havent' the foggiest idea what should go in the SASL config file
(subversion.conf). The SASL documentation is useless. Lots of charts
about what can go on the left side of the =, but basically zero
information about what you might want to put on the right side of the
"=".
Am I out to lunch thinking that this would be the most sought after
method for using svn:// in a Windows environment?
I don't want to use Apache since I'm not interested in bloating my
source control system with a web server and dealing with the
configuration of it as well.
________________________________
This e-mail message may contain proprietary, confidential or legally
privileged information for the sole use of the person or entity to whom
this message was originally addressed. Any review, e-transmission
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you have received this e-mail in error
kindly delete this e-mail from your records. If it appears that this
mail has been forwarded to you without proper authority, please notify
us immediately at netadmin@patni.com and delete this mail.
RE: svnserve authenticating against Windows domain credentials
Posted by "Harvey, Edward" <Ed...@patni.com>.
You should be using Kerberos. It's not supported till 1.5 is released, which could be any time now.
Until then, svnserve can only do plain-text local files for passwords. But apache can do Kerberos/ldap/whatever.
From: Scott Palmer [mailto:Scott@digital-rapids.com]
Sent: Thursday, May 01, 2008 2:21 PM
To: users@subversion.tigris.org
Subject: svnserve authenticating against Windows domain credentials
I've been swearing for the last few hours at the horrendous documentation for SASL and how to use it with svnserve.
Please somebody put me out of my misery.
I want our users to provide their windows domain login credentials to access subversion via svn://
So far I know to put this:
[sasl]
use-sasl = true
in my svnserve.conf file.
Then it seems I need a subversion.conf file somewhere.. I think on a standard windows install of the subversion server components this is supposed to go beside the SASL DLLs e.g. beside libsasl.dll, svnserve.exe, etc.
But I havent' the foggiest idea what should go in the SASL config file (subversion.conf). The SASL documentation is useless. Lots of charts about what can go on the left side of the =, but basically zero information about what you might want to put on the right side of the "=".
Am I out to lunch thinking that this would be the most sought after method for using svn:// in a Windows environment?
I don't want to use Apache since I'm not interested in bloating my source control system with a web server and dealing with the configuration of it as well.
________________________________
This e-mail message may contain proprietary, confidential or legally privileged information for the sole use of the person or entity to whom this message was originally addressed. Any review, e-transmission dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this e-mail in error kindly delete this e-mail from your records. If it appears that this mail has been forwarded to you without proper authority, please notify us immediately at netadmin@patni.com and delete this mail.