You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "Gale, David" <Da...@Hypertherm.com> on 2005/10/11 12:54:09 UTC
User Account Maintenance
What options are there for maintaining user accounts?
As I understand it:
If the server is set up for svnserve over ssh, then the base OS accounts
are used, which makes adding/deleting users easy, and users can change
their own passwords using tools they're used to; however, they need to
have an account on the server's machine.
If the server is set up for svnserve using a passwd file, then users
don't need to have an actual account on the server; adding/deleting
users is still fairly easy, but I don't see any mechanism for them to
change their passwords other than routing their requests through the
repository administrator, who thus knows their passwords.
If the server is set up using apache, accounts are maintained through
htpasswd, again solely by the repository administrator. Has the other
benefits of svnserve, except the passwords aren't stored in plaintext,
and I'm not sure how easy it is to delete a user (man htpasswd doesn't
list anything that I can see).
Of course, this is just a rough summary; there are various tweaks (as
well as other upsides & downsides) on each of the options, but so far I
haven't found a setup I like, which would definitely include the
following:
a) Users don't have to have an account on the server's host machine.
b) Users can change their own passwords.
c) Users don't need to install anything extra, or, at most, just have
to install the subversion client.
d) Administrator can delete old user accounts when appropriate.
Is there any configuration which would give me this? As near as I can
tell, I need to pick between options a and b, which is a rather bitter
thing to accept...
Thanks,
-David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: User Account Maintenance
Posted by "Todd D. Esposito" <To...@ToddEsposito.com>.
David,
On Tue, October 11, 2005 7:54, Gale, David said:
> What options are there for maintaining user accounts?
>
> [snip]
>
> Is there any configuration which would give me this? As near as I can
> tell, I need to pick between options a and b, which is a rather bitter
> thing to accept...
>
I've been using LDAP-based authentication (via mod_auth_ldap) for my
repositories for some time now, and find it very easy to maintain.
You set up each DAV location as you would for .htpasswd-based
authentication, but use the AuthLDAP parameters instead. Since each
location (if you have more than one repository) will (optionally) have
it's own LDAP filter, you can use an LDAP attribute (field) to gate access
to the several repositories. For example, you could use the 'description'
field to contain something like 'access:myrepos1' and the filter for
myrepos1 would look something like '(&....(description=access:myrepos1))'.
Since description is a multi-valued field, adding addtional
'descriptions' for additional access is a breeze.
I then use phpLdapAdmin to add/change/delete use accounts.
I also wrote a quick PHP script to allow end users to change their LDAP
password, and made that URL well known.
You could probably do all this with MySQL-based authentication via another
apache auth module, if that's easier for you to set up. Ldap can be a bit
tricky if you haven't used it before.
Just my $0.02. Hope it helps!
- Todd
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: User Account Maintenance
Posted by Didier Trosset <di...@acqiris.com>.
Gale, David wrote:
> What options are there for maintaining user accounts?
>
> ---- 8< ----
>
> Is there any configuration which would give me this? As near as I can
> tell, I need to pick between options a and b, which is a rather bitter
> thing to accept...
I went the kerberos way, using AuthType Kerberos in apache config. But I
had it working a couple of month only, on a test server, to evaluate our
planned migration to svn. It gives both a and b.
the apache httpd server authenticates users with the main ADS. Thus
there are no specific users defined on the subversion server.
As the authentiaction is done to the main windows server account, there
is no copy of the accounts. No account names, neither passwords written
anywhere else than the main windows server. To change their passwords,
users do this the usual way with their desktop machines.
>
> Thanks,
> -David
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
--
Didier Trosset-Moreau
Acqiris <www.acqiris.com>
Geneva, Switzerland
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org