You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "Johnson, Russell D." <RU...@saic.com> on 2004/04/09 17:31:58 UTC
SSPI Authentication + folder Authorization?
Hi,
I'm managing a subversion repository using Apache on a windows machine in a
LAN with a windows domain controller.
The repository is currently working great with SSPI authentication from both
web browsers and SVN clients.
My question: how can I restrict access on folders in the repository while
still using SSPI authentication?
If I use AuthType Basic in the httpd.conf, I am able to restrict access on
the folders, but then I no longer have the advantage of SSPI authentication.
I've tried mixing a svnaccessfile with SSPI, but haven't found a successful
combination of users in domains.
Finally, the FAQs and manuals do not contain a configuration example using
both SSPI authentication & folder authorization.
Am I being stupid and missed something?
Thanks in advance.
Re: SSPI Authentication + folder Authorization?
Posted by Ben Collins-Sussman <su...@collab.net>.
Oy, let me try to type coherently:
On Fri, 2004-04-09 at 12:55, Ben Collins-Sussman wrote:
> mod_authz_svn has no concept of win32 domains or users. It defines its
> own users within the accessfile, and only pays attentions to
^^^^^
"groups", I mean.
> 'authenticated users' attached to HTTP requests in basic-auth headers.
> So unless the SSPI module is able to "fake" basic auth in http requests,
> there's nothing you can do.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: SSPI Authentication + folder Authorization?
Posted by Ben Collins-Sussman <su...@collab.net>.
On Fri, 2004-04-09 at 12:31, Johnson, Russell D. wrote:
> I've tried mixing a svnaccessfile with SSPI, but haven't found a
> successful combination of users in domains.
mod_authz_svn has no concept of win32 domains or users. It defines its
own users within the accessfile, and only pays attentions to
'authenticated users' attached to HTTP requests in basic-auth headers.
So unless the SSPI module is able to "fake" basic auth in http requests,
there's nothing you can do.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: SSPI Authentication + folder Authorization?
Posted by Stefan <st...@tigris.org>.
Ben Collins-Sussman wrote:
>>You will need mod_auth_svn, and then configure the usernames in the
>>authz file as DOMAINNAME\username, not just username.
>
>
> Thanks Stefan... I had no idea about this! So the SSPI module *does*
> use basic auth headers then? Very cool!
It _can_ use basic auth headers. But you have to configure it that way.
You need to set the SSPIOfferBasic line in the config file to "On". To
be honest, I haven't been able to make it work without that line anyway,
even if I don't use mod_auth_svn.
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: SSPI Authentication + folder Authorization?
Posted by Ben Collins-Sussman <su...@collab.net>.
On Fri, 2004-04-09 at 15:20, Stefan wrote:
> You will need mod_auth_svn, and then configure the usernames in the
> authz file as DOMAINNAME\username, not just username.
Thanks Stefan... I had no idea about this! So the SSPI module *does*
use basic auth headers then? Very cool!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: SSPI Authentication + folder Authorization?
Posted by Stefan <st...@tigris.org>.
Johnson, Russell D. wrote:
> Hi,
> I'm managing a subversion repository using Apache on a windows machine
> in a LAN with a windows domain controller.
> The repository is currently working great with SSPI authentication from
> both web browsers and SVN clients.
>
> My question: how can I restrict access on folders in the repository
> while still using SSPI authentication?
>
> If I use AuthType Basic in the httpd.conf, I am able to restrict access
> on the folders, but then I no longer have the advantage of SSPI
> authentication.
>
> I've tried mixing a svnaccessfile with SSPI, but haven't found a
> successful combination of users in domains.
You will need mod_auth_svn, and then configure the usernames in the
authz file as DOMAINNAME\username, not just username.
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org