You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "Svein E. Seldal" <sv...@dev.seldal.com> on 2005/03/18 07:18:58 UTC
SVN+SSL+AuthzSVNAccess question
Hi all,
I'm trying to setup a svn rep. with apache2 using required user certificates.
These certificates should decide if a user get access or not based on the
AuthzSVNAccess file. But I cannot get it to work. My certificates and the
apache config is correct, but the svn config isnt going where I want. Can
someone please guide me?
The complete config is listed below.
The apache SSL fake basic auth feature makes it possible to list the allowed
users in the "AuthUserFile" file. The username in this file is the complete
subject of the certificate (i.e. "/C=xx/ST=xx/O=x/CN=xx" etc)
with or without any spaces.
- What will the username that svn is using be? ...In the AuthzSVNAccess
file that is?
If the mod_ssl option "SSLUserName" is set to "SSL_CLIENT_S_DN_CN" and its
working for svn, I would guess that the username will be the CN part of the
certificate. This will for my case lead to spaces in the username. So:
- Can I have spaces in the usernames in the AuthzSVNAccess file? How?
My config allows me to check out, but not check in. If I remove the "* = r" in
the access file, it works (with the certificates and all). But then I dont
have any access control...
Have anyone else experience with this?
Regards,
Svein Seldal
Server:
Apache/2.0.53 (Debian GNU/Linux) DAV/2 SVN/1.1.3 PHP/4.3.10-9 mod_ssl/2.0.53
OpenSSL/0.9.7e Server at sveinse.foobar Port 443
apache configuration:
------------------------------
<Location /svn>
DAV svn
SVNParentPath /home/sveinse/local/var/svn
# our access control policy
AuthzSVNAccessFile /home/sveinse/local/var/svn/test.policy
# only authenticated users may access the repository
Require valid-user
# how to authenticate a user
SSLOptions +FakeBasicAuth
SSLUserName SSL_CLIENT_S_DN_CN
AuthType Basic
AuthName "Test subversion repository"
AuthUserFile /home/sveinse/local/var/svn/test.auth
</Location>
test.auth:
-------------
/C=NO/ST=Sor-Trondelag/O=TEST/CN=Svein
Seldal/emailAddress=svein@somewhere:xxj31ZMTZzkVA
(All in one line)
test.policy:
---------------
[test:/]
* = r
Svein Seldal = rw
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: SVN+SSL+AuthzSVNAccess question
Posted by "Svein E. Seldal" <sv...@dev.seldal.com>.
On Friday 18 March 2005 17:35, Kevin Bentley wrote:
> I proposed a change to mod_ssl to allow the SSLUserName option to be
> used with Subversion. That way you can specify which part of the
> certificate to use as the username (such as the full name, or email
> address). They made this change, and hopefully it will be in the next
> release of apache. The bugzilla issue is
> http://issues.apache.org/bugzilla/show_bug.cgi?id=31418
I see from the bugtrack, that the issue has been resolved. Does this mean that
the feature is now implemented in the released 2.0.54, or will it be included
in the next release?
Are there any changes that needs to be made to other related software to get
SSLUserName to work?
BTW I have a debian sarge system:
ii apache2-mpm-prefork 2.0.54-4
ii libapache2-svn 1.1.4-1
ii subversion 1.1.4-1
Thanks a lot,
Svein Seldal
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: SVN+SSL+AuthzSVNAccess question
Posted by Kevin Bentley <ke...@gmail.com>.
On Fri, 18 Mar 2005 08:18:58 +0100, Svein E. Seldal
<sv...@dev.seldal.com> wrote:
> test.auth:
> -------------
> /C=NO/ST=Sor-Trondelag/O=TEST/CN=Svein
> Seldal/emailAddress=svein@somewhere:xxj31ZMTZzkVA
>
> (All in one line)
>
> test.policy:
> ---------------
> [test:/]
> * = r
> Svein Seldal = rw
Unfortunately, the username is the full context of the certificate:
" /C=NO/ST=Sor-Trondelag/O=TEST/CN=Svein
Seldal/emailAddress=svein@somewhere:xxj31ZMTZzkVA"
So you need to change your AuthzSVNAccessFile file. The other problem
is that Subversion can't parse this name correctly because it has an =
sign in it. A solution someone told me about is to create a group with
the certificate username in it, then use that group to assign
permissions. That will work around the = problem. Of course your
change logs will have the full certificate subject as the author.
I proposed a change to mod_ssl to allow the SSLUserName option to be
used with Subversion. That way you can specify which part of the
certificate to use as the username (such as the full name, or email
address). They made this change, and hopefully it will be in the next
release of apache. The bugzilla issue is
http://issues.apache.org/bugzilla/show_bug.cgi?id=31418
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org