[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: VS2005 issues (was 1.4.0-rc1 tarballs up for testing/signing)

From: steveking <steveking_at_gmx.ch>
Date: 2006-06-06 17:35:16 CEST

D.J. Heap wrote:
>> Sorry, the correct name is HAVE_SSPI in neon. Stefan (The TSVN Stefan)
>> has
>> disabled this directive in his build, because svn 1.3 is not able to fall
>> back to basic authentication if you use a server with mod_dav_sspi and a
>> sspi enabled client. Otherwise svn --username --password ignores the
>> given
>> credentials and uses everytime the credentials from the current user.
>> This
>> is the case with the official build and essentially the problem of this
>> posting:
>>
>> http://svn.haxx.se/dev/archive-2006-06/0023.shtml
>>
>> My question is if this would still be the case with the upcoming 1.4
>> release
>> if I would define HAVE_SSPI.
>
>
> So the --username and --password parms on the commandline are ignored
> if you have SSPI on? That does sound like a problem in Subversion's
> auth code. Is there an issue filed?

No, there's no issue for this. But I have reported this three times
already (I think three, but I'm sure of two). To avoid this problem, you
need the latest neon version (0.26.x), which has the ability to disable
some authentication schemes. To actually use basic authentication, you
must disable SSPI and kerberos auth in neon, because if you don't
disable it, neon will always try those first (that's the order of auth
schemes neon tries, first SSPI, then kerberos, then it uses the callback
functions to get username/password). In case SSPI is successful with the
GUEST user account, it uses that authentication. But later the
authorization will fail (unless you gave the user GUEST read/write
access to the repository, which is very unlikely).

So once again, I suggest to implement this in Subversion:
* provide a new config option in the servers file to disable
SSPI/kerberos or whatever 'automatic' authentication neon can use for
certain servers/ips.
* if the config option is set, tell neon that before calling its
authentication functions.

Stefan 

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jun 6 17:38:24 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.