You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "Hughes, Trystan" <Tr...@assetco.com> on 2005/06/13 13:38:07 UTC
Authentication With Samba
Hi all,
I am about to roll out Subversion across my company and have just realised that the company users use SAMBA (http://us1.samba.org/samba/) for its login/authentication process.
This isn;t exactly Windows domain authentication, so was wondering if I would be able to let Subversion use Apache to pickup the users SAMBA login credentials so that they can automatically login (like Windows Domain Authentication works).
Is this at all possible?
Thanks
Tryst
The views expressed in this e-mail are not necessarily the views of AssetCo Group Limited,
its directors, officers or employees make no representation or accept any
liability for its accuracy or completeness unless expressly stated to the contrary.
This e-mail, and any attachments are strictly confidential and intended for the addressee(s) only.
The content may also contain legal, professional or other privileged information. Unless expressly
stated to the contrary, no contracts may be concluded on behalf of AssetCo Group Limited by means of
e-mail communication. You may report the matter by calling us on +44 (0)118 906 8000.
Please ensure you have adequate virus protection before you open or detach any documents from this
transmission. AssetCo Group Limited does not accept any liability for viruses. AssetCo Group Limited
is registered in England: Company number: 4450947
Registered Office: Davidson House, Forbury Square, Reading, Berkshire RG1 3GA
Re: Authentication With Samba
Posted by Frank Gruman <fg...@verizon.net>.
Normal LDAP. You can build the mod_auth_ldap module right into Apache
(I prefer the DSO), and then just pipe in your ADS LDAP server address
since ADS is already an LDAP server. The only issue I have with it is
that I have to bind before it will do the apache authentication. I
really wish I didn't have to do that.
To build with apache 2.0.54 (make sure you have ldap developer files
loaded) -
./configure --enable-mods-shared=all --enable-ldap --with-ldap
--enable-auth-ldap
Instructions on the directives for mod_auth_ldap are found here -
http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html
If there was a way to set up replication (I am thinking it would make
for faster authentication) without asking the MIS staff to change
anything on the ADS side, I'd do it. There might be, but I haven't
found it yet.
Regards,
Frank
Brad wrote:
> Are you talking about authenticating with a normal LDAP schema or the
> ADS LDAP replication? If its the ADS LDAP replication, do you have any
> links or howtos?
>
> I would rather start using the LDAP replication from ADS so that
> winbind doesnt have to be installed on all the machines. I
>
> Thanks,
> Brad
>
> On Mon, 2005-06-13 at 12:42 -0400, Frank Gruman wrote:
>
>> I'd have to say that yes, it is very possible, and it was relatively
>> easy, but my authentication times are very slow (10-20 seconds).
>> I've run ethereal scans, and it seems that there are Kerberos issues
>> floating back and forth on the first and secod handshakes. But then
>> they work out. Strange, but it happened...
>>
>> Anyway - that was when I did Apache+Samba + Winbind. Have now got
>> Apache + LDAP running, and that rocks!
>>
>> So - make sure you get EVERYTHING right before you move into
>> production. I had a couple of very unhappy developers (read ->
>> whiney) who didn't like to wait that long for authentication. They
>> started to revolt and claim they'd rather work on VSS.
>>
>> Regards,
>> Frank
>>
>> Brad wrote:
>>
>>> Tryst,
>>> Yes and its far easier than it sounds. The only issue I have is
>>> that users have to enter in the fully qualified domain user name
>>> such as "DOMAIN\USER". That depends on your domain scoping though.
>>> But it works fine other than that. I have the authentication hooked
>>> up through PAM. Apache can authenticate with PAM through mod_auth_pam.
>>>
>>> Get your system authenticating first:
>>> http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain
>>>
>>> And then use mod_auth_pam to get apache authenticating. Basically,
>>> just don't specify a password file.
>>>
>>>
>>> Brad
>>>
>>>
>>> On Mon, 2005-06-13 at 14:38 +0100, Hughes, Trystan wrote:
>>>
>>>>Hi all,
>>>>
>>>>I am about to roll out Subversion across my company and have just realised that the company users use SAMBA (http://us1.samba.org/samba/) for its login/authentication process.
>>>>
>>>>This isn;t exactly Windows domain authentication, so was wondering if I would be able to let Subversion use Apache to pickup the users SAMBA login credentials so that they can automatically login (like Windows Domain Authentication works).
>>>>
>>>>Is this at all possible?
>>>>
>>>>Thanks
>>>>
>>>>Tryst
>>>>
>>>>The views expressed in this e-mail are not necessarily the views of AssetCo Group Limited,
>>>>its directors, officers or employees make no representation or accept any
>>>>liability for its accuracy or completeness unless expressly stated to the contrary.
>>>>This e-mail, and any attachments are strictly confidential and intended for the addressee(s) only.
>>>>The content may also contain legal, professional or other privileged information. Unless expressly
>>>>stated to the contrary, no contracts may be concluded on behalf of AssetCo Group Limited by means of
>>>>e-mail communication. You may report the matter by calling us on +44 (0)118 906 8000.
>>>>Please ensure you have adequate virus protection before you open or detach any documents from this
>>>>transmission. AssetCo Group Limited does not accept any liability for viruses. AssetCo Group Limited
>>>>is registered in England: Company number: 4450947
>>>>Registered Office: Davidson House, Forbury Square, Reading, Berkshire RG1 3GA
>>>>
>>>>
>>>>
Re: Authentication With Samba
Posted by Laurent CHASTEL <lc...@hotmail.com>.
Hello,
I'm using Apache + samba for authentication and it works fine for me.
To manage autorization, I created several groups on Windows Domain (2 at
least, one for readers and one for writers).
I wrote a script that get the list of users of those groups and modify the
.svnaccess file.
I put the script in the cron to update the file every hour.
Regards,
Laurent
>From: Frank Gruman <fg...@verizon.net>
>To: Brad <sv...@molandernet.com>
>CC: users@subversion.tigris.org, "Hughes, Trystan"
><Tr...@assetco.com>
>Subject: Re: Authentication With Samba
>Date: Mon, 13 Jun 2005 12:42:00 -0400
>
>I'd have to say that yes, it is very possible, and it was relatively easy,
>but my authentication times are very slow (10-20 seconds). I've run
>ethereal scans, and it seems that there are Kerberos issues floating back
>and forth on the first and secod handshakes. But then they work out.
>Strange, but it happened...
>
>Anyway - that was when I did Apache+Samba + Winbind. Have now got Apache +
>LDAP running, and that rocks!
>
>So - make sure you get EVERYTHING right before you move into production. I
>had a couple of very unhappy developers (read -> whiney) who didn't like to
>wait that long for authentication. They started to revolt and claim they'd
>rather work on VSS.
>
>Regards,
>Frank
>
>Brad wrote:
>!
>>Tryst,
>> Yes and its far easier than it sounds. The only issue I have is that
>>users have to enter in the fully qualified domain user name such as
>>"DOMAIN\USER". That depends on your domain scoping though. But it works
>>fine other than that. I have the authentication hooked up through PAM.
>>Apache can authenticate with PAM through mod_auth_pam.
>>
>>Get your system authenticating first:
>>http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain
>>
>>And then use mod_auth_pam to get apache authenticating. Basically, just
>>don't specify a password file.
>>
>>
>>Brad
>>
>>
>>On Mon, 2005-06-13 at 14:38 +0100, Hughes, Trystan wrote:
>>
>>>Hi all,
>>>
>>>I am about to roll out Subversion across my company and have just
>>>realised that the company users use SAMBA (http://us1.samba.org/samba/)
>>>for its login/authentication process.
>>>
>>>This isn;t exactly Windows domain authentication, so was wondering if I
>>>would be able to let Subversion use Apache to pickup the users SAMBA
>>>login credentials so that they can automatically login (like Windows
>>>Domain Authentication works).
>>>
>>>Is this at all possible?
>>>
>>>Thanks
>>>
>>>Tryst
>>>
>>>The views expressed in this e-mail are not necessarily the views of
>>>AssetCo Group Limited,
>>>its directors, officers or employees make no representation or accept any
>>>liability for its accuracy or completeness unless expressly stated to the
>>>contrary.
>>>This e-mail, and any attachments are strictly confidential and intended
>>>for the addressee(s) only.
>>>The content may also contain legal, professional or other privileged
>>>information. Unless expressly
>>>stated to the contrary, no contracts may be concluded on behalf of
>>>AssetCo Group Limited by means of
>>>e-mail communication. You may report the matter by calling us on +44
>>>(0)118 906 8000.
>>>Please ensure you have adequate virus protection before you open or
>>>detach any documents from this
>>>transmission. AssetCo Group Limited does not accept any liability for
>>>viruses. AssetCo Group Limited
>>>is registered in England: Company number: 4450947
>>>Registered Office: Davidson House, Forbury Square, Reading, Berkshire RG1
>>>3GA
>>>
>>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Authentication With Samba
Posted by Frank Gruman <fg...@verizon.net>.
I'd have to say that yes, it is very possible, and it was relatively
easy, but my authentication times are very slow (10-20 seconds). I've
run ethereal scans, and it seems that there are Kerberos issues floating
back and forth on the first and secod handshakes. But then they work
out. Strange, but it happened...
Anyway - that was when I did Apache+Samba + Winbind. Have now got
Apache + LDAP running, and that rocks!
So - make sure you get EVERYTHING right before you move into
production. I had a couple of very unhappy developers (read -> whiney)
who didn't like to wait that long for authentication. They started to
revolt and claim they'd rather work on VSS.
Regards,
Frank
Brad wrote:
> Tryst,
> Yes and its far easier than it sounds. The only issue I have is
> that users have to enter in the fully qualified domain user name such
> as "DOMAIN\USER". That depends on your domain scoping though. But it
> works fine other than that. I have the authentication hooked up
> through PAM. Apache can authenticate with PAM through mod_auth_pam.
>
> Get your system authenticating first:
> http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain
>
> And then use mod_auth_pam to get apache authenticating. Basically,
> just don't specify a password file.
>
>
> Brad
>
>
> On Mon, 2005-06-13 at 14:38 +0100, Hughes, Trystan wrote:
>
>>Hi all,
>>
>>I am about to roll out Subversion across my company and have just realised that the company users use SAMBA (http://us1.samba.org/samba/) for its login/authentication process.
>>
>>This isn;t exactly Windows domain authentication, so was wondering if I would be able to let Subversion use Apache to pickup the users SAMBA login credentials so that they can automatically login (like Windows Domain Authentication works).
>>
>>Is this at all possible?
>>
>>Thanks
>>
>>Tryst
>>
>>The views expressed in this e-mail are not necessarily the views of AssetCo Group Limited,
>>its directors, officers or employees make no representation or accept any
>>liability for its accuracy or completeness unless expressly stated to the contrary.
>>This e-mail, and any attachments are strictly confidential and intended for the addressee(s) only.
>>The content may also contain legal, professional or other privileged information. Unless expressly
>>stated to the contrary, no contracts may be concluded on behalf of AssetCo Group Limited by means of
>>e-mail communication. You may report the matter by calling us on +44 (0)118 906 8000.
>>Please ensure you have adequate virus protection before you open or detach any documents from this
>>transmission. AssetCo Group Limited does not accept any liability for viruses. AssetCo Group Limited
>>is registered in England: Company number: 4450947
>>Registered Office: Davidson House, Forbury Square, Reading, Berkshire RG1 3GA
>>
>>
Re: Authentication With Samba
Posted by Brad <sv...@molandernet.com>.
Tryst,
Yes and its far easier than it sounds. The only issue I have is that
users have to enter in the fully qualified domain user name such as
"DOMAIN\USER". That depends on your domain scoping though. But it works
fine other than that. I have the authentication hooked up through PAM.
Apache can authenticate with PAM through mod_auth_pam.
Get your system authenticating first:
http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain
And then use mod_auth_pam to get apache authenticating. Basically, just
don't specify a password file.
Brad
On Mon, 2005-06-13 at 14:38 +0100, Hughes, Trystan wrote:
> Hi all,
>
> I am about to roll out Subversion across my company and have just realised that the company users use SAMBA (http://us1.samba.org/samba/) for its login/authentication process.
>
> This isn;t exactly Windows domain authentication, so was wondering if I would be able to let Subversion use Apache to pickup the users SAMBA login credentials so that they can automatically login (like Windows Domain Authentication works).
>
> Is this at all possible?
>
> Thanks
>
> Tryst
>
> The views expressed in this e-mail are not necessarily the views of AssetCo Group Limited,
> its directors, officers or employees make no representation or accept any
> liability for its accuracy or completeness unless expressly stated to the contrary.
> This e-mail, and any attachments are strictly confidential and intended for the addressee(s) only.
> The content may also contain legal, professional or other privileged information. Unless expressly
> stated to the contrary, no contracts may be concluded on behalf of AssetCo Group Limited by means of
> e-mail communication. You may report the matter by calling us on +44 (0)118 906 8000.
> Please ensure you have adequate virus protection before you open or detach any documents from this
> transmission. AssetCo Group Limited does not accept any liability for viruses. AssetCo Group Limited
> is registered in England: Company number: 4450947
> Registered Office: Davidson House, Forbury Square, Reading, Berkshire RG1 3GA
Re: Authentication With Samba
Posted by "Kevin T. Broderick" <kb...@boltonvalley.com>.
On 13 Jun 2005, at 9:38 AM, Hughes, Trystan wrote:
>
> Hi all,
>
> I am about to roll out Subversion across my company and have just
> realised that the company users use SAMBA (http://us1.samba.org/
> samba/) for its login/authentication process.
>
> This isn;t exactly Windows domain authentication, so was wondering
> if I would be able to let Subversion use Apache to pickup the users
> SAMBA login credentials so that they can automatically login (like
> Windows Domain Authentication works).
>
> Is this at all possible?
If you can get PAM to auth against the desired back end on the
webserver, then you can use apache's mod_auth_pam to get apache to
use PAM for web-based logins. I'd expect there to be a way to get
PAM to auth against Samba, possibly with winbindd, but I haven't
tried that myself.
Kevin Broderick, Bolton Valley IT Department
kbroderick@boltonvalley.com / 802.434.6807 (V) / 802.329.6807 (F)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org