[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: subversion authentication options

From: Christopher Elkins <chrise_at_esha.com>
Date: 2005-02-24 19:17:44 CET

Brad O'Hearne wrote:
>
> Christopher Elkins wrote:
>
> >On Feb 24, 2005, at 11:01 AM, Brad O'Hearne wrote:
> >
> >>I am using subversion installed on fedora core 3 linux with
> the apache
> >>access option. I would really like not to have to manually manage
> >>passwords -- aside from the obvious admin overhead, the notion of
> >>managing passwords manually is somewhat ridiculous -- having to let
> >>someone else know what your password is in order to manage
> it defeats
> >>much of the purpose of having a password. Anyway, I have run across
> >>this link from the FAQ:
> >>
> >>http://tortoisesvn.tigris.org/docs/TortoiseSVN_en/ch03.html#ts
> >>vn-serversetup-apache-5
> >>
> >>which allows authentication against a Windows domain
> controller, which
> >>we have. I tried installing this, but it appears that this doesn't
> >>work on Linux, but only on a Windows box. If anyone has a
> version of
> >>this that works on linux, or have gotten this working on
> linux, let me
> >>know.
> >>
> >>Are there any other options for letting users manage their own
> >>passwords?
> >>
> >>
> >
> >If your domain controller is an Active Directory domain controller,
> >then you can access it via LDAP and use Apache's mod_auth_ldap to
> >authenticate against it.
> >
> >
> >
> That would be awesome. Do you have a good link with
> instructions on how to do this?

No, but somebody out there has probably written up the process. If
you've configured LDAP before, it's not too difficult. Here are some
miscellaneous tips:

- Apache2's mod_auth_ldap is considered an "experimental" module
(although I've experienced zero problems with it). If you're using a
vendor-supplied Apache, it might not be present.

- Active Directory does not allow anonymous queries by default. You need
to enable them or use an AD account with sufficient privileges to do the
lookups. (My preference is to create a dedicated account for this sole
purpose.)

"How to configure Active Directory to allow anonymous queries"
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320528>

- AD's directory structure is not immediately obvious and can vary
depending on the OS version and edition (e.g., Small Business Server is
completely different from the typical AD hierarchy). Use something like
ADSI Edit (adsiedit.msc) from the resource kit to see the underlying
structure, which you'll need to know in order to construct the LDAP
URLs.

Once you've dealth with the above issues, configuring Apache is as
simple as reading the mod_auth_ldap documentation. Here's a sample
configuration (note that the LDAP URLs are specific to Small Business
Server 2003):

<Location /repos>
    ... usual SVN directives ...

    AuthType Basic
    AuthLDAPUrl
ldap://mydc.mydomain.local/OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomai
n,DC=local?sAMAccountName?sub?(objectClass=user)
    AuthLDAPBindDN "MYDOMAIN\ldaplookup"
    AuthLDAPBindPassword foobar

    # Limit access to members of the programmers group
    Require group CN=Programmers,OU=Security
Groups,OU=MyBusiness,DC=mydomain,DC=local
</Location>

-- 
Christopher Elkins
ESHA Research
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Feb 24 19:20:13 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.