You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Anders Lennartsson <an...@foi.se> on 2005/11/26 18:11:50 UTC

howto configure modauthkerb authorization for subversion?

I have modauthkerb working nicely with a kerberos 5 realm and a config like this

<Directory>
	AuthType Kerberos
	AuthName ...
	...
</Directory>

How do I configure modauthkerb to be used for svn repositories, which
are specified with a <Location> directive like
<Location /svn>
	DAV svn
	SVNParentPath /var/lib/svn
...
</Location>

With svn 1.2.3 on Debian/Sarge I only aim for basic authentication
over ssl/tls at this stage.

Anders

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: howto configure modauthkerb authorization for subversion?

Posted by Tony Butt <to...@cea.com.au>.

Put the kerberos configuration directives (AuthType, AuthName, 
Krb5AuthRealms, etc) inside the <Location> ... </Location> block.

We have 1 serious problem with Kerberos authentication - when using 
mod_auth_krb, we found that it performed 4 or more DNS lookups for 
kerberos principals for each access check, and when using 
AuthZSVNAccessFile access control to the repository, it re-authenticated 
FOR EACH FILE as it check the access control. We improved things 
slightly by configuring krb5.conf with IP numbers instead of names, so 
that only 1 DNS lookup is performed per file, but there still seems to 
be a lot of authentication traffic to our kerberos server. It seems that 
mod_auth_krb is not caching the authentication, but checking for each file!

The end result on performance is quite large - svn log "http path to 
project" took ~60 seconds on a LAN, svn log "svn+ssh path to project" 
took ~ 3 seconds.

Tony Butt
CEA Technologies

Anders Lennartsson wrote:
> I have modauthkerb working nicely with a kerberos 5 realm and a config like this
>
> <Directory>
> 	AuthType Kerberos
> 	AuthName ...
> 	...
> </Directory>
>
> How do I configure modauthkerb to be used for svn repositories, which
> are specified with a <Location> directive like
> <Location /svn>
> 	DAV svn
> 	SVNParentPath /var/lib/svn
> ...
> </Location>
>
> With svn 1.2.3 on Debian/Sarge I only aim for basic authentication
> over ssl/tls at this stage.
>
> Anders
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>