On Fri, Jul 27, 2012 at 8:23 AM, Matthias Weißer <weisserm_at_arcor.de> wrote:
> Hi
>
> is it possible to authenticate users from a Windows active directory to a
> svnserve daemon? From what I have seen when googeling around was that most
> of the time the apache module is used when more complex authentication is
> needed. I would like to avoid the need for an apache on our internal server.
Does your server support SSH? Then you can use svn+ssh, which has some
big security advantages over HTTPS/WebDAV. One big advantage is that
it helps prevent the following combination for HTTPS access.
* HTTPS server uses normal user authentication, especially local
accounts or Kerberos authentication (which works well with Active
Directory, I must admit).
* Linux or UNIX client does not use optional, only supported with
recent Subversion versions, kwallet or gnome-wallet to manage their
authentication keys.
* Linux or UNIX client winds up storing passwords in
$HOME/.subversion/ in plain text. Heck, for RHEL 4, which is still in
industrial user, it has Subversion 1.1.4 which doesn't even *ask*
before it stores the password in plain text.
* Local network weasels read your plain text account and password for
*every system you authenticat to with Subversion*. In an environment
with NFS and and attitude of "we trust the people we work with" and
"we have a firewall to keep people out", it only takes one rootkitted
laptop to own your local network.
The svn+ssh approach works very well as a technology: what it's
missing is a published graceful toolkit to manage the SSH keys.
> Current situation:
> Ubuntu 12.04 LTS
> Winbind for domain user authentication on the Linux box
> svnserve using simple authentication via authz/passwd files
Can you use SSH key based access? I've actually asked several
integration companies in the last year if they could integrate
Subversion with Kerberos ticket based authentication, and they've not
taken up the project. (Dang!)
> Goal:
> Having only the authz file left with the permissions of the single users to
> the repos. The authentication should be done using the user database from
> the windows domain controller.
>
> I think SASL + PAM + WINBIND is the way to go. Before I get lost in a lot of
> documentation on the internet:
>
> Has someone done something like this before? Any hints?
>
> Thanks
> Matthias
It sounds reasonable. I'll be very curious about your results.
Received on 2012-07-29 03:51:27 CEST