You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by Branko Čibej <br...@xbc.nu> on 2004/09/05 03:36:22 UTC

Re: "Windows Authentication" Was: "Credentials Caching - Security Guy Not Happy" from users list

James Chaldecott wrote:

> What you're looking seems to be variously known as either NTLM or SSPI 
> authentication (the former is the protocol the latter the win32 API). 
> Various open-source codebases support it on the client side e.g. 
> Mozilla[1] & libntlm[2].

Unfortunately, there's a catch. When talking about Apache's 
mod_auth_sspi, it's good to know that it only works on Windows. It will, 
for example, let you connect to Apache with IE without retyping the 
username and password, but I don't know how the handshaking works, 
either. Google pops up a few links, and at first glance the client and 
server go through a kerberos-like token exchange, although I haven't a 
clue how you implement that on Windows. It's certainly not trivial.

You can get a similar effect on Unix with mod_auth_pam and pam_smb 
(there used to be a mod_auth_ntlm, but IIRC it's defunct now), however 
it doesn't understand the Windows-specific handshake -- in other words, 
it just checks the basic auth tokens against an NT domain controller.

-- Brane

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Windows Authentication

Posted by Warren Gavin <wm...@gmail.com>.

I had initially tried what Seth had done but I had no luck. Here's
what worked for me.

<Location /repos>
  DAV svn
  SVNPath d:/svn-repository/

  AuthType Basic
  AuthName "Subversion Repository"
  require valid-user

  AuthLDAPURL "ldap://server:389/ou=Organization,dc=domain,dc=com?sAMAccountName?sub?(objectClass=user)"
  AuthLDAPBindDN "user@domain.com"
  AuthLDAPBindPassword password
  
</Location>

Probably not the best way but it worked.


On Tue, 7 Sep 2004 11:10:37 -0700, Seth de l'Isle <se...@ge.com> wrote:
> On Sun, Sep 05, 2004 at 05:36:22AM +0200, Branko ??ibej wrote:
> > You can get a similar effect on Unix with mod_auth_pam and pam_smb
> > (there used to be a mod_auth_ntlm, but IIRC it's defunct now), however
> > it doesn't understand the Windows-specific handshake -- in other words,
> > it just checks the basic auth tokens against an NT domain controller.
> 
> I evaluated mod_auth_pam and pam_smb, as well as using mod_auth_ldap
> against active directory.  mod_auth_ldap proved to require less setup.
> 
> I didn't find a good example of apache authenticating against active
> directory, so maybe my configuration would be useful to others:
> 
>     <Directory />
>                     Options FollowSymLinks
>                     AllowOverride None
>                     Order deny,allow
>                     AuthType Basic
>                     AuthLDAPURL "ldaps://mydomain.com:389/dc=mydomain,dc=com?sAMAccountName"
>                     AuthLDAPBindDN "cn=Seth Delisle,ou=IT Administration,dc=mydomain,dc=com"
>                     AuthLDAPBindPassword XXYYXXYYZZ
>                     AuthName Restricted
>                     Require valid-user
>     </Directory>
> 
> Note that you need an AuthLDAPBindDN enty that resolves to a user with
> permissions to browse the active directory, and that the first cn= is not the
> same string that you would use to log into a windows box, it's described as the
> "Display Name" when using window's mmc domain-users "snap-in."
> 
> The Apache2 docs describe the configuration directives in detail:
> http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html
> 
> 
> 
> 



-- 
Warren Gavin
wmopnc@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Windows Authentication

Posted by Seth de l'Isle <se...@ge.com>.

On Sun, Sep 05, 2004 at 05:36:22AM +0200, Branko ??ibej wrote:
> You can get a similar effect on Unix with mod_auth_pam and pam_smb 
> (there used to be a mod_auth_ntlm, but IIRC it's defunct now), however 
> it doesn't understand the Windows-specific handshake -- in other words, 
> it just checks the basic auth tokens against an NT domain controller.

I evaluated mod_auth_pam and pam_smb, as well as using mod_auth_ldap 
against active directory.  mod_auth_ldap proved to require less setup. 

I didn't find a good example of apache authenticating against active 
directory, so maybe my configuration would be useful to others:

    <Directory />
                    Options FollowSymLinks
                    AllowOverride None
                    Order deny,allow
                    AuthType Basic
                    AuthLDAPURL "ldaps://mydomain.com:389/dc=mydomain,dc=com?sAMAccountName"
                    AuthLDAPBindDN "cn=Seth Delisle,ou=IT Administration,dc=mydomain,dc=com"
                    AuthLDAPBindPassword XXYYXXYYZZ
                    AuthName Restricted
                    Require valid-user
    </Directory>


Note that you need an AuthLDAPBindDN enty that resolves to a user with
permissions to browse the active directory, and that the first cn= is not the
same string that you would use to log into a windows box, it's described as the
"Display Name" when using window's mmc domain-users "snap-in."

The Apache2 docs describe the configuration directives in detail:
http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html