[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

subversion (SVN) with SSPI issue

Posted on 2007-03-28
4
Medium Priority
?
1,754 Views
Last Modified: 2013-11-25
When using SSPI, apache, and SVN... using the authz file for authentication I cannot seem to get it to work.  I can use * = r and then I can see all but the "/" directory.

Here are the loaded modules
LoadModule access_module modules/mod_access.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_module modules/mod_auth.so
LoadModule auth_anon_module modules/mod_auth_anon.so
LoadModule auth_dbm_module modules/mod_auth_dbm.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule imap_module modules/mod_imap.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule sspi_auth_module modules/mod_auth_sspi.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

Here is my setup within the httpd.conf

<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath  f:/svnrepos

AuthName "CFSVN"
      
      AuthType SSPI
      SSPIAuth On
      SSPIOmitDomain On
      SSPIUsernameCase lower
      SSPIAuthoritative On
      SSPIDomain domain

      Require valid-user
      AuthzSVNAccessFile "f:/svnrepos/access/access.txt"
</Location>

Funny thing is that it does ask me to login when I am on a machine that is not on my domain and it authenticates me.  It also auto authenticates when using auto login in IE but only when I use * = r.

Here is my authz file...

[groups]
group1 = domain\user1,user1


[/]
@group1 = rw

[/test1]
@group1 = rw


This is pretty urgent as with everything I post... so 500 points!
Thanks in advance...
0
Comment
Question by:Gizneek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:ati_ozgur
ID: 18859983
What do you see in your access logs? in Program Files/Apache2/logs/error.log file when you tried to access files. Even though I authenticate with DOMAIN/username. Logs show me username.

SSPIOfferBasic On

if you do not write this line, subversion clients does not work. Since subversion clients needs basic authentication to be able to work.

Not that you can not use, active directory groups with this type of authentication. I tried it but it does not work. But I was able to work it today with similar configuration to yours.


0
 
LVL 4

Accepted Solution

by:
ati_ozgur earned 2000 total points
ID: 18859995
from this subversion FAQ
http://subversion.tigris.org/faq.html

How do I allow clients to authenticate against a Windows domain controller using SSPI authentication?

TortoiseSVN has an excellent document that describes setting up a Subversion server on Windows. Go to http://tortoisesvn.net/docs/release/TortoiseSVN_en/tsvn-serversetup.html#tsvn-serversetup-apache-5, to see the section on SSPI authentication.

An important part of the configuration is the line:

   SSPIOfferBasic On

Without this line, browsers that support SSPI will prompt for the user's credentials, but clients that do not suppport SSPI such as Subversion will not prompt. (The current release of Neon - Subversion's HTTP library - handles only basic authentication.) Because the client never asks for credentials, any action that requires authentication will fail. Adding this line tells mod_auth_sspi to use basic authentication with the client, but to use the Windows domain controller to authenticate the credentials.
0
 
LVL 1

Author Comment

by:Gizneek
ID: 18860412
also, I had to go with the old version of the sspi module because using the new one I could not even connect with computers that were not on the domain.  Much appreciated for the help.
0
 
LVL 1

Author Comment

by:Gizneek
ID: 18860415
This means that the
OmitDomain and lowercase lines are removed from my config file.
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question