You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Branko Čibej <br...@xbc.nu> on 2004/09/05 03:36:22 UTC
Re: "Windows Authentication" Was: "Credentials Caching - Security
Guy Not Happy" from users list
James Chaldecott wrote:
> What you're looking seems to be variously known as either NTLM or SSPI
> authentication (the former is the protocol the latter the win32 API).
> Various open-source codebases support it on the client side e.g.
> Mozilla[1] & libntlm[2].
Unfortunately, there's a catch. When talking about Apache's
mod_auth_sspi, it's good to know that it only works on Windows. It will,
for example, let you connect to Apache with IE without retyping the
username and password, but I don't know how the handshaking works,
either. Google pops up a few links, and at first glance the client and
server go through a kerberos-like token exchange, although I haven't a
clue how you implement that on Windows. It's certainly not trivial.
You can get a similar effect on Unix with mod_auth_pam and pam_smb
(there used to be a mod_auth_ntlm, but IIRC it's defunct now), however
it doesn't understand the Windows-specific handshake -- in other words,
it just checks the basic auth tokens against an NT domain controller.
-- Brane
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Windows Authentication
Posted by Warren Gavin <wm...@gmail.com>.
I had initially tried what Seth had done but I had no luck. Here's
what worked for me.
<Location /repos>
DAV svn
SVNPath d:/svn-repository/
AuthType Basic
AuthName "Subversion Repository"
require valid-user
AuthLDAPURL "ldap://server:389/ou=Organization,dc=domain,dc=com?sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindDN "user@domain.com"
AuthLDAPBindPassword password
</Location>
Probably not the best way but it worked.
On Tue, 7 Sep 2004 11:10:37 -0700, Seth de l'Isle <se...@ge.com> wrote:
> On Sun, Sep 05, 2004 at 05:36:22AM +0200, Branko ??ibej wrote:
> > You can get a similar effect on Unix with mod_auth_pam and pam_smb
> > (there used to be a mod_auth_ntlm, but IIRC it's defunct now), however
> > it doesn't understand the Windows-specific handshake -- in other words,
> > it just checks the basic auth tokens against an NT domain controller.
>
> I evaluated mod_auth_pam and pam_smb, as well as using mod_auth_ldap
> against active directory. mod_auth_ldap proved to require less setup.
>
> I didn't find a good example of apache authenticating against active
> directory, so maybe my configuration would be useful to others:
>
> <Directory />
> Options FollowSymLinks
> AllowOverride None
> Order deny,allow
> AuthType Basic
> AuthLDAPURL "ldaps://mydomain.com:389/dc=mydomain,dc=com?sAMAccountName"
> AuthLDAPBindDN "cn=Seth Delisle,ou=IT Administration,dc=mydomain,dc=com"
> AuthLDAPBindPassword XXYYXXYYZZ
> AuthName Restricted
> Require valid-user
> </Directory>
>
> Note that you need an AuthLDAPBindDN enty that resolves to a user with
> permissions to browse the active directory, and that the first cn= is not the
> same string that you would use to log into a windows box, it's described as the
> "Display Name" when using window's mmc domain-users "snap-in."
>
> The Apache2 docs describe the configuration directives in detail:
> http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html
>
>
>
>
--
Warren Gavin
wmopnc@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Windows Authentication
Posted by Seth de l'Isle <se...@ge.com>.
On Sun, Sep 05, 2004 at 05:36:22AM +0200, Branko ??ibej wrote:
> You can get a similar effect on Unix with mod_auth_pam and pam_smb
> (there used to be a mod_auth_ntlm, but IIRC it's defunct now), however
> it doesn't understand the Windows-specific handshake -- in other words,
> it just checks the basic auth tokens against an NT domain controller.
I evaluated mod_auth_pam and pam_smb, as well as using mod_auth_ldap
against active directory. mod_auth_ldap proved to require less setup.
I didn't find a good example of apache authenticating against active
directory, so maybe my configuration would be useful to others:
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
AuthType Basic
AuthLDAPURL "ldaps://mydomain.com:389/dc=mydomain,dc=com?sAMAccountName"
AuthLDAPBindDN "cn=Seth Delisle,ou=IT Administration,dc=mydomain,dc=com"
AuthLDAPBindPassword XXYYXXYYZZ
AuthName Restricted
Require valid-user
</Directory>
Note that you need an AuthLDAPBindDN enty that resolves to a user with
permissions to browse the active directory, and that the first cn= is not the
same string that you would use to log into a windows box, it's described as the
"Display Name" when using window's mmc domain-users "snap-in."
The Apache2 docs describe the configuration directives in detail:
http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html