Solved

subversion (SVN) with SSPI issue

Posted on 2007-03-28
4
1,703 Views
Last Modified: 2013-11-25
When using SSPI, apache, and SVN... using the authz file for authentication I cannot seem to get it to work.  I can use * = r and then I can see all but the "/" directory.

Here are the loaded modules
LoadModule access_module modules/mod_access.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_module modules/mod_auth.so
LoadModule auth_anon_module modules/mod_auth_anon.so
LoadModule auth_dbm_module modules/mod_auth_dbm.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule imap_module modules/mod_imap.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule sspi_auth_module modules/mod_auth_sspi.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

Here is my setup within the httpd.conf

<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath  f:/svnrepos

AuthName "CFSVN"
      
      AuthType SSPI
      SSPIAuth On
      SSPIOmitDomain On
      SSPIUsernameCase lower
      SSPIAuthoritative On
      SSPIDomain domain

      Require valid-user
      AuthzSVNAccessFile "f:/svnrepos/access/access.txt"
</Location>

Funny thing is that it does ask me to login when I am on a machine that is not on my domain and it authenticates me.  It also auto authenticates when using auto login in IE but only when I use * = r.

Here is my authz file...

[groups]
group1 = domain\user1,user1


[/]
@group1 = rw

[/test1]
@group1 = rw


This is pretty urgent as with everything I post... so 500 points!
Thanks in advance...
0
Comment
Question by:Gizneek
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:ati_ozgur
ID: 18859983
What do you see in your access logs? in Program Files/Apache2/logs/error.log file when you tried to access files. Even though I authenticate with DOMAIN/username. Logs show me username.

SSPIOfferBasic On

if you do not write this line, subversion clients does not work. Since subversion clients needs basic authentication to be able to work.

Not that you can not use, active directory groups with this type of authentication. I tried it but it does not work. But I was able to work it today with similar configuration to yours.


0
 
LVL 4

Accepted Solution

by:
ati_ozgur earned 500 total points
ID: 18859995
from this subversion FAQ
http://subversion.tigris.org/faq.html

How do I allow clients to authenticate against a Windows domain controller using SSPI authentication?

TortoiseSVN has an excellent document that describes setting up a Subversion server on Windows. Go to http://tortoisesvn.net/docs/release/TortoiseSVN_en/tsvn-serversetup.html#tsvn-serversetup-apache-5, to see the section on SSPI authentication.

An important part of the configuration is the line:

   SSPIOfferBasic On

Without this line, browsers that support SSPI will prompt for the user's credentials, but clients that do not suppport SSPI such as Subversion will not prompt. (The current release of Neon - Subversion's HTTP library - handles only basic authentication.) Because the client never asks for credentials, any action that requires authentication will fail. Adding this line tells mod_auth_sspi to use basic authentication with the client, but to use the Windows domain controller to authenticate the credentials.
0
 
LVL 1

Author Comment

by:Gizneek
ID: 18860412
also, I had to go with the old version of the sspi module because using the new one I could not even connect with computers that were not on the domain.  Much appreciated for the help.
0
 
LVL 1

Author Comment

by:Gizneek
ID: 18860415
This means that the
OmitDomain and lowercase lines are removed from my config file.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Learn about cloud computing and its benefits for small business owners.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now