You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "Ramakrishna B. Shenai" <RS...@facetime.com> on 2004/07/08 02:34:34 UTC
mod_auth_sspi + AuthzSVNAccessFile combo is broken
My setup is as follows
Subversion 1.0.5 (Win32 exe)
Apache 2.0.50 (without SSL)
Win2K Professiona with SP4
Using mod_auth_sspi obtained from http://tortoisesvn.tigris.org/mod_auth_sspi.zip seems to pass the authenticated user in the form \\<domain>\<userid> to the mod_authz_svn. I have been unable to figure out how to setup the AuthzSVNAccessFile to recognize userids in this form.
However a version of mod_auth_sspi at http://www.deadbeef.com/software/sspi.html that is patched to offer a new directive called SSPIOmitDomain. Using this directive strips the domain name and now mod_authz_svn work as I expect it to.
Using the conf files given below I am now able to use SVN that way I want to:
- Avoid usage of .htacesss
- Ability to classify users in group based on their roles/responsibilities
- Multiple depots/repositories
Am I missing something very basic here or is there a problem with mod_authz_svn.
Thanks
Ramakrishna
==================== My conf files ===============
My svn.conf file looks like: (I am using the SVNParentPath directive so that I can have multiple depots/repositories being served by SVN)
<Location /svn>
DAV svn
SVNParentPath g:/repos
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain pdchost
SSPIOfferBasic On
SSPIOmitDomain On
AuthName "SVN Realm"
AuthzSVNAccessFile g:/repos/svnaccess.conf
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
My svnaccess.conf file looks:
[groups]
developers = dev1,dev2,dev3
docs = doc1
#to allow everyone read access
[PRODUCT1:/]
* = r
#allow all developers complete access
@developers = rw
#give the doc people write access to the docs folder
[PRODUCT1:/docs]
@docs = rw
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: mod_auth_sspi + AuthzSVNAccessFile combo is broken
Posted by Felix Collins <fe...@keyghost.com>.
Ben is correct here. I have a very similar setup to Ramakrishna and it
works fine. The only tricky thing is that some browsers seem to provide
the domain name part automatically. You may or may not need to include
the DOMAINNAME\ at the start of your user name depending on the case.
Try both..
DOMAINNAME\username
and
username
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: mod_auth_sspi + AuthzSVNAccessFile combo is broken
Posted by Ben Collins-Sussman <su...@collab.net>.
Ramakrishna B. Shenai wrote:
> Am I missing something very basic here or is there a problem with mod_authz_svn.
>
The problem isn't mod_authz_svn; it's just trying to match usernames
against whatever username is attached to the HTTP request by
mod_auth_sspi. IIRC, the sspi module authenticates usernames like
"DOMAIN\USERNAME", so you'll need to use similarly formatted users in
your mod_authz_svn Authz file. Google the users@ list, this has been
discussed before. I may have the syntax slightly wrong.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org