You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Michael Richters <mi...@gmail.com> on 2007/03/09 19:53:16 UTC
mod_auth_kerb and usernames
When using apache with mod_auth_kerb, $REMOTE_USER contains the whole
kerberos principal name, including "@REALM". This makes it difficult
to maintain a repository that uses both mod_auth_kerb and some other
method of access. Is there any way to configure subversion so that
the realm is stripped from the username?
--Michael Richters
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: mod_auth_kerb and usernames
Posted by Michael Richters <mi...@gmail.com>.
On Sat, Mar 10, 2007 at 10:14:50AM +1100, Samay wrote:
> >On Fri, Mar 09, 2007 at 02:16:51PM -0700, Wesley J. Landaker wrote:
> >>On Friday 09 March 2007 12:53, Michael Richters wrote:
> >>> When using apache with mod_auth_kerb, $REMOTE_USER contains the whole
> >>> kerberos principal name, including "@REALM". This makes it difficult
> >>> to maintain a repository that uses both mod_auth_kerb and some other
> >>> method of access. Is there any way to configure subversion so that
> >>> the realm is stripped from the username?
> >>
>
> There is a logical reason to keep it that way. user@REALM1.FQDN !=
> user@REALM2.FQDN
>
> Its part of the bigger Kerberos picture.
I know that. But my subversion repository only allows access from one
kerberos realm, so I don't care about that, and there are other ways
for users to access the repository (svn+ssh://). This means that each
user shows up with two different "usernames", making logs very messy.
> >>I ran across this problem in one installation and ended up concluding
> >>that
> >>to get it to work I'd have to either hack the mod_auth_kerb source, which
> >>would be easy but a pain to track on upgrades, etc, or use
> >>principal@REALM
> >>for usernames in SVN, which would be unacceptable.
>
> we integrate SVN Auth with Active Directory using HTTP+Mod_auth_kerb. Map
> users via their User principle names in AD. We had to teach few people how
> to find UPN from AD using ADTools or LDAP Explorer. it was the only way as
> we have multiple AD domains/Realms. Now its part of the process. YMMV.
That's nice, but not relevant to my needs.
> >>So instead, I just used mod_auth_pam at let the Linux PAM system handle
> >>the
> >>kerberos authentication transparently instead.
> >
> >Does mod_auth_pam do SPNEGO authentication, allowing the users to use
> >their kerberos tickets to authenticate without the use of passwords?
>
> No. Mod_auth_pam allows for 'basic' authentication.
I didn't think so. That was mostly a rhetorical question.
--Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: mod_auth_kerb and usernames
Posted by Yves Martin <yv...@elca.ch>.
On Sat, 2007-03-10 at 10:14 +1100, Samay wrote:
> we integrate SVN Auth with Active Directory using HTTP+Mod_auth_kerb. Map
> users via their User principle names in AD. We had to teach few people how
> to find UPN from AD using ADTools or LDAP Explorer. it was the only way as
> we have multiple AD domains/Realms. Now its part of the process. YMMV.
Hello,
I'm currently working on the same kind of deployment:
. Linux Apache2 server with mod_auth_kerb
. two ActiveDirectory (not trusted, different domains)
. use of Apache::AuthzNetLDAP to check permissions on AD groups
Which Subversion clients do you use ?
My Linux svn build with neon 0.25.5 works perfectly.
Recent win32 svn and TortoiseSVN binaries crash when doing SPNEGO - bug
from neon 0.26.x
Thank you in advance
Best regards,
--
Yves Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: mod_auth_kerb and usernames
Posted by Samay <ge...@hotmail.com>.
> On Fri, Mar 09, 2007 at 02:16:51PM -0700, Wesley J. Landaker wrote:
>> On Friday 09 March 2007 12:53, Michael Richters wrote:
>> > When using apache with mod_auth_kerb, $REMOTE_USER contains the whole
>> > kerberos principal name, including "@REALM". This makes it difficult
>> > to maintain a repository that uses both mod_auth_kerb and some other
>> > method of access. Is there any way to configure subversion so that
>> > the realm is stripped from the username?
>>
There is a logical reason to keep it that way. user@REALM1.FQDN !=
user@REALM2.FQDN
Its part of the bigger Kerberos picture.
>> I ran across this problem in one installation and ended up concluding
>> that
>> to get it to work I'd have to either hack the mod_auth_kerb source, which
>> would be easy but a pain to track on upgrades, etc, or use
>> principal@REALM
>> for usernames in SVN, which would be unacceptable.
we integrate SVN Auth with Active Directory using HTTP+Mod_auth_kerb. Map
users via their User principle names in AD. We had to teach few people how
to find UPN from AD using ADTools or LDAP Explorer. it was the only way as
we have multiple AD domains/Realms. Now its part of the process. YMMV.
>> So instead, I just used mod_auth_pam at let the Linux PAM system handle
>> the
>> kerberos authentication transparently instead.
>
> Does mod_auth_pam do SPNEGO authentication, allowing the users to use
> their kerberos tickets to authenticate without the use of passwords?
No. Mod_auth_pam allows for 'basic' authentication.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: mod_auth_kerb and usernames
Posted by Michael Richters <mi...@gmail.com>.
On Fri, Mar 09, 2007 at 02:16:51PM -0700, Wesley J. Landaker wrote:
> On Friday 09 March 2007 12:53, Michael Richters wrote:
> > When using apache with mod_auth_kerb, $REMOTE_USER contains the whole
> > kerberos principal name, including "@REALM". This makes it difficult
> > to maintain a repository that uses both mod_auth_kerb and some other
> > method of access. Is there any way to configure subversion so that
> > the realm is stripped from the username?
>
> I ran across this problem in one installation and ended up concluding that
> to get it to work I'd have to either hack the mod_auth_kerb source, which
> would be easy but a pain to track on upgrades, etc, or use principal@REALM
> for usernames in SVN, which would be unacceptable.
>
> So instead, I just used mod_auth_pam at let the Linux PAM system handle the
> kerberos authentication transparently instead.
Does mod_auth_pam do SPNEGO authentication, allowing the users to use
their kerberos tickets to authenticate without the use of passwords?
--Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: mod_auth_kerb and usernames
Posted by Samay <ge...@hotmail.com>.
> On Fri, Mar 09, 2007 at 02:16:51PM -0700, Wesley J. Landaker wrote:
>> I ran across this problem in one installation and ended up concluding
>> that
>> to get it to work I'd have to either hack the mod_auth_kerb source, which
>> would be easy but a pain to track on upgrades, etc, or use
>> principal@REALM
>> for usernames in SVN, which would be unacceptable.
>
> It's not apparent to me how to modify mod_auth_kerb to remove the
> realm from "$REMOTE_USER", but if it were, I would be happy to do so.
> Can you give me any hints?
>
see if this thread helps u
http://sourceforge.net/tracker/index.php?func=detail&aid=1373783&group_id=51775&atid=464526
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: mod_auth_kerb and usernames
Posted by Michael Richters <mi...@gmail.com>.
On Fri, Mar 09, 2007 at 02:16:51PM -0700, Wesley J. Landaker wrote:
> I ran across this problem in one installation and ended up concluding that
> to get it to work I'd have to either hack the mod_auth_kerb source, which
> would be easy but a pain to track on upgrades, etc, or use principal@REALM
> for usernames in SVN, which would be unacceptable.
It's not apparent to me how to modify mod_auth_kerb to remove the
realm from "$REMOTE_USER", but if it were, I would be happy to do so.
Can you give me any hints?
--Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: mod_auth_kerb and usernames
Posted by "Wesley J. Landaker" <wj...@icecavern.net>.
On Friday 09 March 2007 12:53, Michael Richters wrote:
> When using apache with mod_auth_kerb, $REMOTE_USER contains the whole
> kerberos principal name, including "@REALM". This makes it difficult
> to maintain a repository that uses both mod_auth_kerb and some other
> method of access. Is there any way to configure subversion so that
> the realm is stripped from the username?
I ran across this problem in one installation and ended up concluding that
to get it to work I'd have to either hack the mod_auth_kerb source, which
would be easy but a pain to track on upgrades, etc, or use principal@REALM
for usernames in SVN, which would be unacceptable.
So instead, I just used mod_auth_pam at let the Linux PAM system handle the
kerberos authentication transparently instead.
--
Wesley J. Landaker <wj...@icecavern.net> <xm...@icecavern.net>
OpenPGP FP: 4135 2A3B 4726 ACC5 9094 0097 F0A9 8A4C 4CD6 E3D2