You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Udo Rader <li...@bestsolution.at> on 2009/08/20 16:15:17 UTC
mod_dav_svn & X.509 certificate authorization
Hi,
I am just in the process of setting up a new repository server.
Today access to our repository server is available (only) via
webdav@https, with each developer having his own X.509 certificate to
authenticate the https session.
Then, in a next step, he is asked for a username & a password (LDAP
based), that, upon success, is passed on to mod_dav_svn as a username.
And finally, in order to have fine grained access control, we use
mod_authz_svn to restrict who is allowed to do what in the repository
(stored in the AuthzSVNAccessFile flat text file).
Now as I am starting from scratch, I am wondering if progress has been
made to utilize X.509 client authentication for mod_dav_svn and
mod_authz_svn because I would really like to get rid of the second
authentication stage.
Even better, I would also like to migrate the AuthzSVNAccessFile into LDAP.
Any news on that (I remember a thread on this years ago ... :-)
TIA!
--
Udo Rader, CTO
http://www.bestsolution.at
http://riaschissl.blogspot.com
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2385679
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: mod_dav_svn & X.509 certificate authorization
Posted by Udo Rader <li...@bestsolution.at>.
Johan Corveleyn wrote:
>> Van: Udo Rader [mailto:listudo@bestsolution.at]
>> Verzonden: donderdag 20 augustus 2009 18:15
>>
>> Hi,
>>
>> I am just in the process of setting up a new repository server.
>>
>> Today access to our repository server is available (only) via
>> webdav@https, with each developer having his own X.509 certificate
>> to
>> authenticate the https session.
>>
>> Then, in a next step, he is asked for a username & a password (LDAP
>> based), that, upon success, is passed on to mod_dav_svn as a
>> username.
>>
>> And finally, in order to have fine grained access control, we use
>> mod_authz_svn to restrict who is allowed to do what in the
>> repository
>> (stored in the AuthzSVNAccessFile flat text file).
>>
>> Now as I am starting from scratch, I am wondering if progress has
>> been
>> made to utilize X.509 client authentication for mod_dav_svn and
>> mod_authz_svn because I would really like to get rid of the second
>> authentication stage.
>
> I don't know about the previous thread, and I'm not 100% sure, but I
> would think that this is pure Apache+SSL business, not Subversion's.
> I mean, shouldn't Apache be able to map the X.509 SSL client auth to
> a username, which is then passed on (like any normal auth mechanism)?
> Why would you need a second authentication step, just to get the
> username? Apache already knows who the user is, doesn't it?
Yes, you are absolutely right :-)
Reviewing mod_ssl options, I found that there is a "FakeBasicAuth"
directive that does exactly this "subject DN to username" type of
translation.
Maybe I simply didn't notice it or maybe it has been added recently
(well, our old repository server has been running for 6 years now, so
"recently" is relative :-)
Now the only think remaining is to outsource the AuthzSVNAccessFile into
LDAP, but that probably won't work out so easy.
I am currently thinking about creating some kind of converter script,
dumping the relevant parts of the LDAP DIT as a flat file, being
referenced as the AuthzSVNAccessFile, but that's another story :-)
Anyhow, thanks a lot for your "greater view" on this issue.
--
Udo Rader, CTO
http://www.bestsolution.at
http://riaschissl.blogspot.com
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2385974
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
RE: mod_dav_svn & X.509 certificate authorization
Posted by Johan Corveleyn <jo...@uz.kuleuven.ac.be>.
> Van: Udo Rader [mailto:listudo@bestsolution.at]
> Verzonden: donderdag 20 augustus 2009 18:15
>
> Hi,
>
> I am just in the process of setting up a new repository server.
>
> Today access to our repository server is available (only) via
> webdav@https, with each developer having his own X.509 certificate
> to
> authenticate the https session.
>
> Then, in a next step, he is asked for a username & a password (LDAP
> based), that, upon success, is passed on to mod_dav_svn as a
> username.
>
> And finally, in order to have fine grained access control, we use
> mod_authz_svn to restrict who is allowed to do what in the
> repository
> (stored in the AuthzSVNAccessFile flat text file).
>
> Now as I am starting from scratch, I am wondering if progress has
> been
> made to utilize X.509 client authentication for mod_dav_svn and
> mod_authz_svn because I would really like to get rid of the second
> authentication stage.
I don't know about the previous thread, and I'm not 100% sure, but I would think that this is pure Apache+SSL business, not Subversion's. I mean, shouldn't Apache be able to map the X.509 SSL client auth to a username, which is then passed on (like any normal auth mechanism)? Why would you need a second authentication step, just to get the username? Apache already knows who the user is, doesn't it?
I haven't done SSL client auth for a while, but I guess that there are a couple of ways to infer a username from a client certificate:
- either use the subject DN from the certificate as username, or a part of it (CN?, email?). Or some other certificate attribute.
- or, if you have your own PKI infrastructure, there should be ways to look up the real username in an LDAP, using the subject DN from the client cert.
In an Apache+SVN scenario, Subversion really doesn't care how Apache authenticated the user, as long as Apache communicates the username to mod_dav_svn (like with any other auth mechanism).
>
> Even better, I would also like to migrate the AuthzSVNAccessFile
> into LDAP.
>
> Any news on that (I remember a thread on this years ago ... :-)
I don't know, but I'm sure other SVN users have also had this question, and maybe some have come up with nice working solutions for this. So maybe someone else can comment on this...
Regards,
Johan
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2385918
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].