On 2009-04-08 13:40, Daniel Klaffenbach wrote:
> I am running Scientific Linux 5.2 with subversion 1.4.2 and apache
> 2.2.3. The subversion repositories reside in /var/www/svn and are
> being served with mod_dav_svn.
> The users should be authenticated with Kerberos. If Kerberos fails, I
> want subversion to check the REPONAME/conf/authz and passwd file for
> manually added users. Since we are going to have ~200 repositories I
> cannot keep all the users in one authz file.
> How do I have to set up apache to parse all the authz files in the
> different repositories?
> The Kerberos part kind of works with
> AuthzSVNAccessFile /var/www/svn_authz
> but obviously I cannot keep all the user information in there. Users
> should also be able to add non-Kerberos users and configure access for
> krb and non-krb users.
> Any ideas?
Your question, "how do I get Apache to use multiple authentication
modules?", is more of an Apache+mod_auth_kerb question than a
Subversion question. I've not found a satisfactory answer for
Apache 2.2 + mod_auth_kerb so I've pieced together my own patches
to Apache 2.2.9 and mod_auth_kerb 5.3 which can do this. YMMV.
Here's the jist of the changes:
Change authorization checking to enable authorization when any
authorization header is found, not just when the location
Add a AuthBasicLazy flag, which when true, enables
mod_auth_basic on any request with a "Authorization: basic"
Changes to make Kerberos less authoratative to allow basic auth
from other modules to succeed.
Are there any Apache folks around who have any thoughts about this?
% openssl sha1 apache22-request-auth-header-patch apache-mod_auth_basic-svn+authoratative.patch mod_auth_kerb-svn+basic.patch
Alec.Kloss_at_oracle.com Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956
Received on 2009-04-08 15:33:50 CEST
- application/pgp-signature attachment: stored