You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Daniel Klaffenbach <da...@gmail.com> on 2009/04/08 11:40:28 UTC
Kerberos + basic auth with Apache (path based)
I am running Scientific Linux 5.2 with subversion 1.4.2 and apache
2.2.3. The subversion repositories reside in /var/www/svn and are
being served with mod_dav_svn.
The users should be authenticated with Kerberos. If Kerberos fails, I
want subversion to check the REPONAME/conf/authz and passwd file for
manually added users. Since we are going to have ~200 repositories I
cannot keep all the users in one authz file.
How do I have to set up apache to parse all the authz files in the
different repositories?
The Kerberos part kind of works with
AuthzSVNAccessFile /var/www/svn_authz
but obviously I cannot keep all the user information in there. Users
should also be able to add non-Kerberos users and configure access for
krb and non-krb users.
Any ideas?
Thanks,
Daniel
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1595200
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: Kerberos + basic auth with Apache (path based)
Posted by Daniel Klaffenbach <da...@gmail.com>.
Hello,
2009/4/8 Alec Kloss <al...@oracle.com>:
> Your question, "how do I get Apache to use multiple authentication
> modules?", is more of an Apache+mod_auth_kerb question than a
> Subversion question. I've not found a satisfactory answer for
> Apache 2.2 + mod_auth_kerb so I've pieced together my own patches
> to Apache 2.2.9 and mod_auth_kerb 5.3 which can do this. YMMV.
OK, thanks for that. The reason why I am still using subversion 1.4 is
that I only want to use the software packages that our distributor
(RedHat) ships. Before I start hacking any source code I am going to
try mod_python as described here: http://www.thoughtspark.org/node/25
And mod_auth_kerb also supports fallback mechanisms with
"KrbAuthoritative off".
But let's assume that I only want to use mod_auth_kerb for now. I
still cannot figure out how to tell apache to honour the conf/authz
for EACH project. I do not want to add all the paths to the different
authz files to my apache config as svn projects are being created
automatically.
If I set "require valid-user" then the admins of each repo should
still be able to limit access to their repositories. How would I do
that? It seems like wildcards do not work (like "AuthzSVNAccessFile
/var/www/svn/*/conf/authz").
Thanks,
Daniel Klaffenbahch
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1598759
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: Kerberos + basic auth with Apache (path based)
Posted by Alec Kloss <al...@oracle.com>.
On 2009-04-08 13:40, Daniel Klaffenbach wrote:
> I am running Scientific Linux 5.2 with subversion 1.4.2 and apache
> 2.2.3. The subversion repositories reside in /var/www/svn and are
> being served with mod_dav_svn.
>
> The users should be authenticated with Kerberos. If Kerberos fails, I
> want subversion to check the REPONAME/conf/authz and passwd file for
> manually added users. Since we are going to have ~200 repositories I
> cannot keep all the users in one authz file.
>
> How do I have to set up apache to parse all the authz files in the
> different repositories?
>
> The Kerberos part kind of works with
> AuthzSVNAccessFile /var/www/svn_authz
> but obviously I cannot keep all the user information in there. Users
> should also be able to add non-Kerberos users and configure access for
> krb and non-krb users.
>
> Any ideas?
>
Your question, "how do I get Apache to use multiple authentication
modules?", is more of an Apache+mod_auth_kerb question than a
Subversion question. I've not found a satisfactory answer for
Apache 2.2 + mod_auth_kerb so I've pieced together my own patches
to Apache 2.2.9 and mod_auth_kerb 5.3 which can do this. YMMV.
Here's the jist of the changes:
httpd-2.2.9/server/request.c:
Change authorization checking to enable authorization when any
authorization header is found, not just when the location
requires authentication.
httpd-2.2.9/modules/aaa/mod_auth_basic.c:
Add a AuthBasicLazy flag, which when true, enables
mod_auth_basic on any request with a "Authorization: basic"
header.
mod_auth_kerb-5.3/src/mod_auth_kerb.c:
Changes to make Kerberos less authoratative to allow basic auth
from other modules to succeed.
Are there any Apache folks around who have any thoughts about this?
% openssl sha1 apache22-request-auth-header-patch apache-mod_auth_basic-svn+authoratative.patch mod_auth_kerb-svn+basic.patch
SHA1(apache22-request-auth-header-patch)= 85b4e44c3c88f791c3475a4461533db9db3ae4ee
SHA1(apache-mod_auth_basic-svn+authoratative.patch)= ad2914b5422daedf4bf3bd498a87b3ac5f5255d3
SHA1(mod_auth_kerb-svn+basic.patch)= b659e2d1bfe1d30d3833bfbeea8558b3194ecc85
--
Alec.Kloss@oracle.com Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956