Solved

subversion (SVN) with SSPI issue

Posted on 2007-03-28
4
1,732 Views
Last Modified: 2013-11-25
When using SSPI, apache, and SVN... using the authz file for authentication I cannot seem to get it to work.  I can use * = r and then I can see all but the "/" directory.

Here are the loaded modules
LoadModule access_module modules/mod_access.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_module modules/mod_auth.so
LoadModule auth_anon_module modules/mod_auth_anon.so
LoadModule auth_dbm_module modules/mod_auth_dbm.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule imap_module modules/mod_imap.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule sspi_auth_module modules/mod_auth_sspi.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

Here is my setup within the httpd.conf

<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath  f:/svnrepos

AuthName "CFSVN"
      
      AuthType SSPI
      SSPIAuth On
      SSPIOmitDomain On
      SSPIUsernameCase lower
      SSPIAuthoritative On
      SSPIDomain domain

      Require valid-user
      AuthzSVNAccessFile "f:/svnrepos/access/access.txt"
</Location>

Funny thing is that it does ask me to login when I am on a machine that is not on my domain and it authenticates me.  It also auto authenticates when using auto login in IE but only when I use * = r.

Here is my authz file...

[groups]
group1 = domain\user1,user1


[/]
@group1 = rw

[/test1]
@group1 = rw


This is pretty urgent as with everything I post... so 500 points!
Thanks in advance...
0
Comment
Question by:Gizneek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:ati_ozgur
ID: 18859983
What do you see in your access logs? in Program Files/Apache2/logs/error.log file when you tried to access files. Even though I authenticate with DOMAIN/username. Logs show me username.

SSPIOfferBasic On

if you do not write this line, subversion clients does not work. Since subversion clients needs basic authentication to be able to work.

Not that you can not use, active directory groups with this type of authentication. I tried it but it does not work. But I was able to work it today with similar configuration to yours.


0
 
LVL 4

Accepted Solution

by:
ati_ozgur earned 500 total points
ID: 18859995
from this subversion FAQ
http://subversion.tigris.org/faq.html

How do I allow clients to authenticate against a Windows domain controller using SSPI authentication?

TortoiseSVN has an excellent document that describes setting up a Subversion server on Windows. Go to http://tortoisesvn.net/docs/release/TortoiseSVN_en/tsvn-serversetup.html#tsvn-serversetup-apache-5, to see the section on SSPI authentication.

An important part of the configuration is the line:

   SSPIOfferBasic On

Without this line, browsers that support SSPI will prompt for the user's credentials, but clients that do not suppport SSPI such as Subversion will not prompt. (The current release of Neon - Subversion's HTTP library - handles only basic authentication.) Because the client never asks for credentials, any action that requires authentication will fail. Adding this line tells mod_auth_sspi to use basic authentication with the client, but to use the Windows domain controller to authenticate the credentials.
0
 
LVL 1

Author Comment

by:Gizneek
ID: 18860412
also, I had to go with the old version of the sspi module because using the new one I could not even connect with computers that were not on the domain.  Much appreciated for the help.
0
 
LVL 1

Author Comment

by:Gizneek
ID: 18860415
This means that the
OmitDomain and lowercase lines are removed from my config file.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question