[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

subversion (SVN) with SSPI issue

Posted on 2007-03-28
4
Medium Priority
?
1,766 Views
Last Modified: 2013-11-25
When using SSPI, apache, and SVN... using the authz file for authentication I cannot seem to get it to work.  I can use * = r and then I can see all but the "/" directory.

Here are the loaded modules
LoadModule access_module modules/mod_access.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_module modules/mod_auth.so
LoadModule auth_anon_module modules/mod_auth_anon.so
LoadModule auth_dbm_module modules/mod_auth_dbm.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule imap_module modules/mod_imap.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule sspi_auth_module modules/mod_auth_sspi.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

Here is my setup within the httpd.conf

<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath  f:/svnrepos

AuthName "CFSVN"
      
      AuthType SSPI
      SSPIAuth On
      SSPIOmitDomain On
      SSPIUsernameCase lower
      SSPIAuthoritative On
      SSPIDomain domain

      Require valid-user
      AuthzSVNAccessFile "f:/svnrepos/access/access.txt"
</Location>

Funny thing is that it does ask me to login when I am on a machine that is not on my domain and it authenticates me.  It also auto authenticates when using auto login in IE but only when I use * = r.

Here is my authz file...

[groups]
group1 = domain\user1,user1


[/]
@group1 = rw

[/test1]
@group1 = rw


This is pretty urgent as with everything I post... so 500 points!
Thanks in advance...
0
Comment
Question by:Gizneek
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:ati_ozgur
ID: 18859983
What do you see in your access logs? in Program Files/Apache2/logs/error.log file when you tried to access files. Even though I authenticate with DOMAIN/username. Logs show me username.

SSPIOfferBasic On

if you do not write this line, subversion clients does not work. Since subversion clients needs basic authentication to be able to work.

Not that you can not use, active directory groups with this type of authentication. I tried it but it does not work. But I was able to work it today with similar configuration to yours.


0
 
LVL 4

Accepted Solution

by:
ati_ozgur earned 2000 total points
ID: 18859995
from this subversion FAQ
http://subversion.tigris.org/faq.html

How do I allow clients to authenticate against a Windows domain controller using SSPI authentication?

TortoiseSVN has an excellent document that describes setting up a Subversion server on Windows. Go to http://tortoisesvn.net/docs/release/TortoiseSVN_en/tsvn-serversetup.html#tsvn-serversetup-apache-5, to see the section on SSPI authentication.

An important part of the configuration is the line:

   SSPIOfferBasic On

Without this line, browsers that support SSPI will prompt for the user's credentials, but clients that do not suppport SSPI such as Subversion will not prompt. (The current release of Neon - Subversion's HTTP library - handles only basic authentication.) Because the client never asks for credentials, any action that requires authentication will fail. Adding this line tells mod_auth_sspi to use basic authentication with the client, but to use the Windows domain controller to authenticate the credentials.
0
 
LVL 1

Author Comment

by:Gizneek
ID: 18860412
also, I had to go with the old version of the sspi module because using the new one I could not even connect with computers that were not on the domain.  Much appreciated for the help.
0
 
LVL 1

Author Comment

by:Gizneek
ID: 18860415
This means that the
OmitDomain and lowercase lines are removed from my config file.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question