You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Augusto Alvarez <au...@gmail.com> on 2008/05/20 21:37:45 UTC
Subversion authenticating to different domains
Hello everyone,
I'm doing some research about subversion deployment with apache2 and
Windows Active Directory. I had succesfully deployed a subversion installed
on *openSUSE 10.3 x86, apache2 2.2.4-70 and authenticating with single
Windows Active Directory*... everything works great there.
But *I haven't found yet the way to accomplish for the SVN server manage
authentication from two domains*: I have two different domains (domainA.com
and domainB.com) and I want to achieve that my subversion could authenticate
any user from domainA.com and domainB.com... Basically *I don't want to
create users on domainA.com that actually belongs to domainB.com, just for
allowing them to work on the same repositories.*
* Is that in anyway possible???*
Thanks!!
Augusto
Re: Subversion authenticating to different domains
Posted by Augusto Alvarez <au...@gmail.com>.
The only module that I was using was authzn_ldap... adding authn_alias
module as Kevin recommended I could actually achieve that my subversion
authenticate users from two different domains.
Thanks!
Augusto
2008/5/22 <Ni...@infineon.com>:
> ________________________________________
> From: Augusto Alvarez
> Sent: Tuesday, May 20, 2008 10:38 PM
>
> Hello everyone,
>
> I'm doing some research about subversion deployment with apache2 and
> Windows Active Directory. I had succesfully deployed a subversion installed
> on openSUSE 10.3 x86, apache2 2.2.4-70 and authenticating with single
> Windows Active Directory... everything works great there.
>
> But I haven't found yet the way to accomplish for the SVN server manage
> authentication from two domains: I have two different domains (domainA.com
> and domainB.com) and I want to achieve that my subversion could authenticate
> any user from domainA.com and domainB.com... Basically I don't want to
> create users on domainA.com that actually belongs to domainB.com, just for
> allowing them to work on the same repositories.
>
> Is that in anyway possible???
> ________________________________________
>
> You didn't say what auth module you where using. We use mod_auth_kerb (and
> Kerberos of course) to authenticate against active directory. Kerberos
> allows you to define AD servers for multiple domains/realms and
> mod_auth_kerb can be configured to try authentication against each of those
> realms in turn. I use this to authenticate users across three windows
> domains:
>
> From /etc/krb5.conf:
>
> [realms]
> DOMAINA.COM <http://domaina.com/> = {
> kdc = domaina.example.com:88
> admin_server = domaina.example.com:749
> default_domain = example.com
> }
> DOMAINB.COM <http://domainb.com/> = {
> kdc = domainb.example.com:88
> admin_server = domainb.example.com:749
> default_domain = example.com
> }
>
> From ssl.conf:
>
> AuthType Kerberos
> AuthName "Windows User Login"
> KrbAuthRealms DOMAINA.COM <http://domaina.com/> DOMAINB.COM<http://domainb.com/>
> KrbMethodK5Passwd on
> KrbMethodK4Passwd off
> KrbVerifyKDC off
> KrbMethodNegotiate off
> KrbAppendRealm off
> Require valid-user
>
> Doesn't help you if you're not using Kerberos though :-(
>
RE: Subversion authenticating to different domains
Posted by Ni...@infineon.com.
________________________________________
From: Augusto Alvarez
Sent: Tuesday, May 20, 2008 10:38 PM
Hello everyone,
I'm doing some research about subversion deployment with apache2 and Windows Active Directory. I had succesfully deployed a subversion installed on openSUSE 10.3 x86, apache2 2.2.4-70 and authenticating with single Windows Active Directory... everything works great there.
But I haven't found yet the way to accomplish for the SVN server manage authentication from two domains: I have two different domains (domainA.com and domainB.com) and I want to achieve that my subversion could authenticate any user from domainA.com and domainB.com... Basically I don't want to create users on domainA.com that actually belongs to domainB.com, just for allowing them to work on the same repositories.
Is that in anyway possible???
________________________________________
You didn't say what auth module you where using. We use mod_auth_kerb (and Kerberos of course) to authenticate against active directory. Kerberos allows you to define AD servers for multiple domains/realms and mod_auth_kerb can be configured to try authentication against each of those realms in turn. I use this to authenticate users across three windows domains:
Re: Subversion authenticating to different domains
Posted by Augusto Alvarez <au...@gmail.com>.
Using the authn_alias module works like a charm!!
Thanks a million!!
Cheers!
Augusto
2008/5/21 <km...@rockwellcollins.com>:
> "Augusto Alvarez" <au...@gmail.com> wrote on 05/20/2008
> 04:37:45 PM:
> > Hello everyone,
> >
> > I'm doing some research about subversion deployment with apache2 and
> Windows
> > Active Directory. I had succesfully deployed a subversion installed on
> > openSUSE 10.3 x86, apache2 2.2.4-70 and authenticating with single
> Windows
> > Active Directory... everything works great there.
> >
> > But I haven't found yet the way to accomplish for the SVN server manage
>
> > authentication from two domains: I have two different domains
> (domainA.com
> > and domainB.com) and I want to achieve that my subversion could
> authenticate
> > any user from domainA.com and domainB.com... Basically I don't want to
> create
> > users on domainA.com that actually belongs to domainB.com, just for
> allowing
> > them to work on the same repositories.
> >
> > Is that in anyway possible???
>
>
> Since you are using apache 2.2, look into using AuthnProviderAlias to
> setup
> LDAP parameters for each domain, then use those aliases to
> AuthBasicProvider
> as a space separated list.
>
> WARNING: You can only perform a "require valid-user" in this case, because
> the alias functionality only works for authentication, NOT authorization.
> (require ldap-user username or require ldap-group groupname will not
> work.)
>
> Apache 2.3/2.4 is changing the authentication stuff (again) and will
> hopefully
> help this situation.
>
> Kevin R.
>
Re: Subversion authenticating to different domains
Posted by km...@rockwellcollins.com.
"Augusto Alvarez" <au...@gmail.com> wrote on 05/20/2008
04:37:45 PM:
> Hello everyone,
>
> I'm doing some research about subversion deployment with apache2 and
Windows
> Active Directory. I had succesfully deployed a subversion installed on
> openSUSE 10.3 x86, apache2 2.2.4-70 and authenticating with single
Windows
> Active Directory... everything works great there.
>
> But I haven't found yet the way to accomplish for the SVN server manage
> authentication from two domains: I have two different domains
(domainA.com
> and domainB.com) and I want to achieve that my subversion could
authenticate
> any user from domainA.com and domainB.com... Basically I don't want to
create
> users on domainA.com that actually belongs to domainB.com, just for
allowing
> them to work on the same repositories.
>
> Is that in anyway possible???
Since you are using apache 2.2, look into using AuthnProviderAlias to
setup
LDAP parameters for each domain, then use those aliases to
AuthBasicProvider
as a space separated list.
WARNING: You can only perform a "require valid-user" in this case, because
the alias functionality only works for authentication, NOT authorization.
(require ldap-user username or require ldap-group groupname will not
work.)
Apache 2.3/2.4 is changing the authentication stuff (again) and will
hopefully
help this situation.
Kevin R.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org