Solved

subversion (SVN) with SSPI issue

Posted on 2007-03-28
4
1,706 Views
Last Modified: 2013-11-25
When using SSPI, apache, and SVN... using the authz file for authentication I cannot seem to get it to work.  I can use * = r and then I can see all but the "/" directory.

Here are the loaded modules
LoadModule access_module modules/mod_access.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_module modules/mod_auth.so
LoadModule auth_anon_module modules/mod_auth_anon.so
LoadModule auth_dbm_module modules/mod_auth_dbm.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule imap_module modules/mod_imap.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule sspi_auth_module modules/mod_auth_sspi.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

Here is my setup within the httpd.conf

<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath  f:/svnrepos

AuthName "CFSVN"
      
      AuthType SSPI
      SSPIAuth On
      SSPIOmitDomain On
      SSPIUsernameCase lower
      SSPIAuthoritative On
      SSPIDomain domain

      Require valid-user
      AuthzSVNAccessFile "f:/svnrepos/access/access.txt"
</Location>

Funny thing is that it does ask me to login when I am on a machine that is not on my domain and it authenticates me.  It also auto authenticates when using auto login in IE but only when I use * = r.

Here is my authz file...

[groups]
group1 = domain\user1,user1


[/]
@group1 = rw

[/test1]
@group1 = rw


This is pretty urgent as with everything I post... so 500 points!
Thanks in advance...
0
Comment
Question by:Gizneek
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:ati_ozgur
ID: 18859983
What do you see in your access logs? in Program Files/Apache2/logs/error.log file when you tried to access files. Even though I authenticate with DOMAIN/username. Logs show me username.

SSPIOfferBasic On

if you do not write this line, subversion clients does not work. Since subversion clients needs basic authentication to be able to work.

Not that you can not use, active directory groups with this type of authentication. I tried it but it does not work. But I was able to work it today with similar configuration to yours.


0
 
LVL 4

Accepted Solution

by:
ati_ozgur earned 500 total points
ID: 18859995
from this subversion FAQ
http://subversion.tigris.org/faq.html

How do I allow clients to authenticate against a Windows domain controller using SSPI authentication?

TortoiseSVN has an excellent document that describes setting up a Subversion server on Windows. Go to http://tortoisesvn.net/docs/release/TortoiseSVN_en/tsvn-serversetup.html#tsvn-serversetup-apache-5, to see the section on SSPI authentication.

An important part of the configuration is the line:

   SSPIOfferBasic On

Without this line, browsers that support SSPI will prompt for the user's credentials, but clients that do not suppport SSPI such as Subversion will not prompt. (The current release of Neon - Subversion's HTTP library - handles only basic authentication.) Because the client never asks for credentials, any action that requires authentication will fail. Adding this line tells mod_auth_sspi to use basic authentication with the client, but to use the Windows domain controller to authenticate the credentials.
0
 
LVL 1

Author Comment

by:Gizneek
ID: 18860412
also, I had to go with the old version of the sspi module because using the new one I could not even connect with computers that were not on the domain.  Much appreciated for the help.
0
 
LVL 1

Author Comment

by:Gizneek
ID: 18860415
This means that the
OmitDomain and lowercase lines are removed from my config file.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now