You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Michael Tang <ta...@phy.ccnu.edu.cn> on 2009/08/31 07:45:46 UTC

How to configure SSL on SSPI?

Hello All,

I have setup SSL secured connections (https) for my Subversion and https works well. Now, I am trying to set authentication with a Windows Domain with SSPI. But after I set up SSPI, the authorization (Windows Domain userid and password) only valid for http. For https, No authorization need and anyone can access repository.

According to document ( http://tortoisesvn.net/docs/release/TortoiseSVN_en/tsvn-serversetup-apache.html#tsvn-serversetup-apache-6), The SSPI authentication is only enabled for SSL secured connections(https).

What is wrong in my configuration? 

I only added /changed some contents in httpd.conf for SSPI below,

Added

LoadModule sspi_auth_module modules/mod_auth_sspi.so

LoadModule dav_fs_module modules/mod_dav_fs.so

SSPIAuth On
SSPIAuthoritative On
SSPIDomain DOMAIN_NAME
SSPIOfferBasic On

and changed

AuthType from 'Basic' to 'SSPI'

AuthzSVNAccessFile from 'basic_auth_file' to 'SSPI_auth_file'.

and other setting has not been changed. More details please find the attached.

Re: How to configure SSL on SSPI?

Posted by Andrey Repin <an...@freemail.ru>.

Greetings, Michael Tang!

> Do you mean the <Location> block

> <Location /svn>
>    DAV svn
   
>    SVNPath C:/svnroot

>    AuthType SSPI
>    AuthName "SVN Server Example"
      
>    SSPIAuth On
>    SSPIAuthoritative On
>    SSPIDomain CORPLEAR
>    SSPIOfferBasic Off
   
>    AuthzSVNAccessFile C:/svnroot/conf/SSPI-auth-file
   
>    Require valid-user   
> </Location>

> should be moved from httpd.conf to httpd-ssl.conf?

> I moved the block to the end of httpd-ssl.conf, and commented out SSPI seting in http.conf. 

It should be placed in proper VirtualHost (if you're using them).
If you do not use VH, and your Apache is configured to serve sole purpose of
being SVN backend, then the location of different blocks is irrelevant.

> The authorization was required when https connection started, but only user
> name and password are defined in C:/svnroot/conf/HTTP-passwd-file instead of
> defined in Windows Domain can be used. It means I only access repository by
> username define in the file,even it was commented out in httpd.conf. 

> Meanwhile, http can not use authentication with Windows Domain. But it is
> work before <Location> block moved. 

> I also tried to diable SSPIOfferBasic, but nothing was happened.

> I attached my httpd.conf and httpd-ssl.conf. My subversion version is
> 1.6.3(r38063), Apach version is 2.2.11. 

For a note: 1080 is a SOCKS PROXY port.
Not a very good idea to use commonly known ports for different purposes.

> Could you please give me more details? Please do not hesitate to correct my
> mistake or misunderstanding. Thank you very much! 

Remove VirtualHost lines from ssl included file (make that section not VHost)
and take off "Listen 1080" from main file.
It should work on https:// connection now.
Also make sure you do not have many Location blocks defining same location in
one configuration. (Yes, all included files considered single configuration


--
WBR,
 Andrey Repin (anrdaemon@freemail.ru) 03.09.2009, <0:22>

Sorry for my terrible english...

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2390431

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

RE: How to configure SSL on SSPI?

Posted by Michael Tang <ta...@phy.ccnu.edu.cn>.

Hello Hohn and Andrey,

Thanks for your help!

Do you mean the <Location> block

<Location /svn>
   DAV svn
   
   SVNPath C:/svnroot

   AuthType SSPI
   AuthName "SVN Server Example"
      
   SSPIAuth On
   SSPIAuthoritative On
   SSPIDomain CORPLEAR
   SSPIOfferBasic Off
   
   AuthzSVNAccessFile C:/svnroot/conf/SSPI-auth-file
   
   Require valid-user   
</Location>

should be moved from httpd.conf to httpd-ssl.conf?

I moved the block to the end of httpd-ssl.conf, and commented out SSPI seting in http.conf. 

The authorization was required when https connection started, but only user name and password are defined in C:/svnroot/conf/HTTP-passwd-file instead of defined in Windows Domain can be used. It means I only access repository by username define in the file,even it was commented out in httpd.conf.

Meanwhile, http can not use authentication with Windows Domain. But it is work before <Location> block moved.

I also tried to diable SSPIOfferBasic, but nothing was happened.

I attached my httpd.conf and httpd-ssl.conf. My subversion version is 1.6.3(r38063), Apach version is 2.2.11. 

Could you please give me more details? Please do not hesitate to correct my mistake or misunderstanding. Thank you very much!

Regards
Michael

Re: How to configure SSL on SSPI?

Posted by Andrey Repin <an...@freemail.ru>.

Greetings, Michael Tang!

> I have setup SSL secured connections (https) for my Subversion and https
> works well. Now, I am trying to set authentication with a Windows Domain
> with SSPI. But after I set up SSPI, the authorization (Windows Domain userid
> and password) only valid for http. For https, No authorization need and
> anyone can access repository.

> According to document ( http://tortoisesvn.net/docs/release/TortoiseSVN_en/tsvn-serversetup-apache.html#tsvn-serversetup-apache-6),
> The SSPI authentication is only enabled for SSL secured connections(https).

> What is wrong in my configuration? 

> I only added /changed some contents in httpd.conf for SSPI below,

> Added

> LoadModule sspi_auth_module modules/mod_auth_sspi.so

> LoadModule dav_fs_module modules/mod_dav_fs.so

> SSPIAuth On
> SSPIAuthoritative On
> SSPIDomain DOMAIN_NAME
> SSPIOfferBasic On

> and changed

> AuthType from 'Basic' to 'SSPI'

> AuthzSVNAccessFile from 'basic_auth_file' to 'SSPI_auth_file'.

> and other setting has not been changed. More details please find the attached.

As already mentioned, you either have changed the wrong block, ot your auth
cache still offers you valid credentials for basic auth HTTPS.
Try disabling SSPIOfferBasic first.

P.S.
        <IfModule sspi_auth_module>
            Allow from all

            AuthName "Subversion repository"
            AuthType SSPI
            SSPIAuth On
            SSPIAuthoritative On
            SSPIOfferBasic On
            SSPIOmitDomain On
            SSPIUsernameCase lower
            SSPIBasicPreferred On

            # only developers may access the repository
            Require group "DAEMON1\CVS"

            # And they should obey to SVN user permissions file
            <IfModule authz_svn_module>
                AuthzSVNAccessFile "C:/home/svn/.registry"
            </IfModule>
        </IfModule>

I'm using "SSPIOfferBasic" only because I want remote Linux clients to be able
to authenticate in repository.


--
WBR,
 Andrey Repin (anrdaemon@freemail.ru) 01.09.2009, <2:54>

Sorry for my terrible english...

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2389577

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

RE: How to configure SSL on SSPI?

Posted by Johan Corveleyn <jo...@uz.kuleuven.ac.be>.

> Van: Michael Tang [mailto:tang@phy.ccnu.edu.cn]
> 
> Hello All,
> 
> I have setup SSL secured connections (https) for my Subversion and
> https works well. Now, I am trying to set authentication with a
> Windows Domain with SSPI. But after I set up SSPI, the
> authorization (Windows Domain userid and password) only valid for
> http. For https, No authorization need and anyone can access
> repository.
> 
> According to document (
> http://tortoisesvn.net/docs/release/TortoiseSVN_en/tsvn-
> serversetup-apache.html#tsvn-serversetup-apache-6), The SSPI
> authentication is only enabled for SSL secured connections(https).
> 
> What is wrong in my configuration?
> 
> I only added /changed some contents in httpd.conf for SSPI below,
> 
> Added
> 
> LoadModule sspi_auth_module modules/mod_auth_sspi.so
> 
> LoadModule dav_fs_module modules/mod_dav_fs.so
> 
> SSPIAuth On
> SSPIAuthoritative On
> SSPIDomain DOMAIN_NAME
> SSPIOfferBasic On
> 
> and changed
> 
> AuthType from 'Basic' to 'SSPI'
> 
> AuthzSVNAccessFile from 'basic_auth_file' to 'SSPI_auth_file'.
> 
> and other setting has not been changed. More details please find
> the attached.

I think you've been editing the wrong <Location> block, the one that's specific for the http access. According to the httpd.conf.err that you attached, I'm guessing that you need to edit another file, namely: conf/httpd-ssl.conf

Since your httpd.conf.err contains the following line:
Include conf/httpd-ssl.conf

There should be a similar Location block in httpd-ssl.conf. That's the one you need to work on. Also: I suppose in the end you need to disable plain http access (or limit it in some way). Otherwise it makes little sense to secure the https access. See Apache documentation for more information on how to do this...

Regards,
Johan

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2388823

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

RE: How to configure SSL on SSPI?

Posted by Michael Tang <ta...@phy.ccnu.edu.cn>.

Hello Andray,

Thanks for your suggestion!

I re-configured SSL and cleaned-up httpd.conf, httpd-ssl.conf and AuthzSVNAccessFile tdoay. The issue was fixed.

I attached the cofiiguration files. Wish it can help other pepole who meet the same issue.

Thanks again for your kindly help!

Regards
Michael