You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Auke Jilderda <ji...@dds.nl> on 2006/01/04 21:29:21 UTC
Combining SVN access rights with Active Directory authentication
I'm trying to hook up Subversion and Apache2 to Microsoft Active Directory
but am struggling a bit with exactly what is and is not possible at
present. I was hoping you can help me clarify this.
I know Apache2 with Subversion can authenticate against a Microsoft Active
Directory service using the SSPI or NTLM module when running Apache on
Windows respectively UNIX. The SSPI module is currently not actively
maintained but the TortoiseSVN documentation includes a section on how to
configure it [1] while the NTLM project's home page [2] describes how to
configure the module.
This works although it leaves the challenge of getting clients other than
Microsoft Internet Explorer to actually ask for credentials. This can be
accomplished by having Apache use basic authentication for fetching the
credentials before using SSPI or NTLM for authenticating against Microsoft
Active Directory, adding the 'SSPIOfferBasic On' respectively
"NTLMBasicAuth On" directive. Hence, configuring the NTLM module for the
SVN location as follows works:
AuthType NTLM
AuthName "Bogus Repository"
NTLMAuth On
NTLMAuthoritative On
NTLMDomain MSAD01
NTLMserver wdc1
NTLMBasicAuth On
So far so good but this naturally leads to a next question: Can I define
who has access to what using the user accounts and groups defined in the
Microsoft Active Directory?
I've searched and read up on the topic but am a bit at a loss with the
multiple authentication and authorisation modules out there and Apache 2.2
having things again refactored and would really appreciate some pointers.
Thanks,
Auke
1. http://tortoisesvn.sourceforge.net/docs/release/TortoiseSVN_en/ch03.html#tsvn-serversetup-apache-5
2. http://modntlm.sourceforge.net
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Combining SVN access rights with Active Directory authentication
Posted by Jon Bendtsen <jo...@laerdal.dk>.
Den onsdag 4.jan kl. 22:29 skrev Auke Jilderda:
> I'm trying to hook up Subversion and Apache2 to Microsoft Active
> Directory
> but am struggling a bit with exactly what is and is not possible at
> present. I was hoping you can help me clarify this.
>
> I know Apache2 with Subversion can authenticate against a Microsoft
> Active
> Directory service using the SSPI or NTLM module when running Apache on
> Windows respectively UNIX. The SSPI module is currently not actively
> maintained but the TortoiseSVN documentation includes a section on
> how to
> configure it [1] while the NTLM project's home page [2] describes
> how to
> configure the module.
>
> This works although it leaves the challenge of getting clients
> other than
> Microsoft Internet Explorer to actually ask for credentials. This
> can be
> accomplished by having Apache use basic authentication for fetching
> the
> credentials before using SSPI or NTLM for authenticating against
> Microsoft
> Active Directory, adding the 'SSPIOfferBasic On' respectively
> "NTLMBasicAuth On" directive. Hence, configuring the NTLM module
> for the
> SVN location as follows works:
> AuthType NTLM
> AuthName "Bogus Repository"
> NTLMAuth On
> NTLMAuthoritative On
> NTLMDomain MSAD01
> NTLMserver wdc1
> NTLMBasicAuth On
>
> So far so good but this naturally leads to a next question: Can I
> define
> who has access to what using the user accounts and groups defined
> in the
> Microsoft Active Directory?
use authz for that.
JonB
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Combining SVN access rights with Active Directory authentication
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
On 1/4/06, Ben Collins-Sussman <su...@red-bean.com> wrote:
> On 1/4/06, Auke Jilderda <ji...@dds.nl> wrote:
>
> > So far so good but this naturally leads to a next question: Can I define
> > who has access to what using the user accounts and groups defined in the
> > Microsoft Active Directory?
>
> No, you can only tell apache to *authenticate* against AD user
> accounts. You're asking about *authorization*. The only thing
> capable of doing path-based authorization is mod_authz_svn, which has
> its own policy file and own internal notion of groups.
So I guess the question becomes, how difficult would it be to make
mod_authz_svn work with Apache's groups (which I imagine we can get
from LDAP or whatever), rather than its own internal groups.
-garrett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Combining SVN access rights with Active Directory authentication
Posted by Ben Collins-Sussman <su...@red-bean.com>.
On 1/4/06, Auke Jilderda <ji...@dds.nl> wrote:
> So far so good but this naturally leads to a next question: Can I define
> who has access to what using the user accounts and groups defined in the
> Microsoft Active Directory?
No, you can only tell apache to *authenticate* against AD user
accounts. You're asking about *authorization*. The only thing
capable of doing path-based authorization is mod_authz_svn, which has
its own policy file and own internal notion of groups.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: Combining SVN access rights with Active Directory authentication
Posted by Lieven Govaerts <lg...@mobsol.be>.
Auke,
ask your question on the Subversion users list, I'm sure you'll get detailed
response there: users@subversion.tigris.org.
Lieven.
> -----Original Message-----
> From: Auke Jilderda [mailto:jilderda@dds.nl]
> Sent: woensdag 4 januari 2006 22:29
> To: svn-dev
> Subject: Combining SVN access rights with Active Directory
> authentication
>
> I'm trying to hook up Subversion and Apache2 to Microsoft
> Active Directory but am struggling a bit with exactly what is
> and is not possible at present. I was hoping you can help me
> clarify this.
>
> I know Apache2 with Subversion can authenticate against a
> Microsoft Active Directory service using the SSPI or NTLM
> module when running Apache on Windows respectively UNIX. The
> SSPI module is currently not actively maintained but the
> TortoiseSVN documentation includes a section on how to
> configure it [1] while the NTLM project's home page [2]
> describes how to configure the module.
>
> This works although it leaves the challenge of getting
> clients other than Microsoft Internet Explorer to actually
> ask for credentials. This can be accomplished by having
> Apache use basic authentication for fetching the credentials
> before using SSPI or NTLM for authenticating against
> Microsoft Active Directory, adding the 'SSPIOfferBasic On'
> respectively "NTLMBasicAuth On" directive. Hence,
> configuring the NTLM module for the SVN location as follows works:
> AuthType NTLM
> AuthName "Bogus Repository"
> NTLMAuth On
> NTLMAuthoritative On
> NTLMDomain MSAD01
> NTLMserver wdc1
> NTLMBasicAuth On
>
> So far so good but this naturally leads to a next question:
> Can I define who has access to what using the user accounts
> and groups defined in the Microsoft Active Directory?
>
> I've searched and read up on the topic but am a bit at a loss
> with the multiple authentication and authorisation modules
> out there and Apache 2.2 having things again refactored and
> would really appreciate some pointers.
>
> Thanks,
>
>
> Auke
>
> 1.
> http://tortoisesvn.sourceforge.net/docs/release/TortoiseSVN_en
> /ch03.html#tsvn-serversetup-apache-5
> 2. http://modntlm.sourceforge.net
>
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.12/220 - Release Date: 3/01/2006
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org