Re: Credentials Caching - Security Guy Not Happy

On Wed, 25 Aug 2004 19:00:31 -0700
Paul Ossenbruggen <paul.ossenbruggen@convoii.net> wrote:

> Another possibility that may completely solve the problem is Kerberos
> authentication rather than auth_ldap and AD, but may be tricky to
> setup. Does anyone have experience with this? I found mod_auth_kerb
> does this work?

AD (Win2k) authorize users (win logon). Linux users use kinit to get ticket.
Then we can use Kerberos ticket for our needs (neon has Kerberos auth support).
Users simply work with Subversion and don't enter additional info (login, password).
Password is not stored at client side, it's not transferred in plaintext over network.

Information about user rights for any directory of any repository is stored in LDAP.

Server software: Apache, mod_auth_kerb (authorization), mod_authz_svn (authentication), OpenLDAP.
Client software: Subversion console client or TortoiseSVN.
Linux versions use neon with modified ne_auth.c (from CVS).
Windows versions use patched neon library with native SSP support
(because i don't want to install additional software like MIT Kerberos for Windows).

We use this model...

P.S. Sorry for bad English, it's not my native language ;-)

Best regards,
Den Varaksin

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Aug 26 15:10:21 2004