You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by "Ramakrishna B. Shenai" <RS...@facetime.com> on 2004/07/08 02:34:34 UTC

mod_auth_sspi + AuthzSVNAccessFile combo is broken

My setup is as follows

Subversion 1.0.5 (Win32 exe)
Apache 2.0.50 (without SSL)
Win2K Professiona with SP4

Using mod_auth_sspi obtained from  http://tortoisesvn.tigris.org/mod_auth_sspi.zip seems to pass the authenticated user in the form \\<domain>\<userid> to the mod_authz_svn. I have been unable to figure out how to setup the AuthzSVNAccessFile to recognize userids in this form. 

However a version of mod_auth_sspi at http://www.deadbeef.com/software/sspi.html that is patched to offer a new directive called SSPIOmitDomain. Using this directive strips the domain name and now mod_authz_svn work as I expect it to. 

Using the conf files given below I am now able to use SVN that way I want to:
- Avoid usage of .htacesss
- Ability to classify users in group based on their roles/responsibilities
- Multiple depots/repositories

Am I missing something very basic here or is there a problem with mod_authz_svn. 

Thanks

Ramakrishna

==================== My conf files ===============
My svn.conf file looks like: (I am using the SVNParentPath directive so that I can have multiple depots/repositories being served by SVN)

<Location /svn>
   DAV svn
   SVNParentPath g:/repos

	AuthType SSPI
	SSPIAuth On
	SSPIAuthoritative On
	SSPIDomain pdchost 
	SSPIOfferBasic On
	SSPIOmitDomain On   
      AuthName "SVN Realm"
	AuthzSVNAccessFile g:/repos/svnaccess.conf
	<LimitExcept GET PROPFIND OPTIONS REPORT>
		Require valid-user
	</LimitExcept>
</Location>

My svnaccess.conf file looks:

[groups]
developers = dev1,dev2,dev3
docs = doc1
#to allow everyone read access
[PRODUCT1:/]
* = r
#allow all developers complete access
@developers = rw
#give the doc people write access to the docs folder
[PRODUCT1:/docs]
@docs = rw



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: mod_auth_sspi + AuthzSVNAccessFile combo is broken

Posted by Felix Collins <fe...@keyghost.com>.

Ben is correct here.  I have a very similar setup to Ramakrishna and it 
works fine.  The only tricky thing is that some browsers seem to provide 
the domain name part automatically.  You may or may not need to include 
the DOMAINNAME\ at the start of your user name depending on the case. 
Try both..

DOMAINNAME\username

and

username




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: mod_auth_sspi + AuthzSVNAccessFile combo is broken

Posted by Ben Collins-Sussman <su...@collab.net>.

Ramakrishna B. Shenai wrote:

> Am I missing something very basic here or is there a problem with mod_authz_svn. 
>

The problem isn't mod_authz_svn;  it's just trying to match usernames 
against whatever username is attached to the HTTP request by 
mod_auth_sspi.  IIRC, the sspi module authenticates usernames like 
"DOMAIN\USERNAME", so you'll need to use similarly formatted users in 
your mod_authz_svn Authz file.  Google the users@ list, this has been 
discussed before.  I may have the syntax slightly wrong.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org