[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

mod_svn_authz authorization problem (or maybe TSVN or Windows client password caching problem?)

From: Michael Kelley <michael.kelley_at_argonst.com>
Date: 2005-05-27 17:49:26 CEST

Anybody had any issues with mod_svn_authz authorization under Windows 2003 SP1?

Server: Windows 2003 Server SP1, Apache 2.0.52, Subversion 1.1.4, authentication via mod_auth_sspi,
subversion authorization using mod_svn_authz.
Clients: mix of Windows 2000 SP4 and XP SP1, Subversion 1.1.4, TSVN 1.1.7, IE 6.0 as default web

Occasionally, without any apparent reason, TSVN users are unable to commit changes to a repository
or are unable to use TSVN repro-browser to view parts or all of the repository or are unable to use
TSVN repro-browser to view repository source files (starts up IE and browses to repository URL).
Workaround is to clear TSVN password cache and re-authenticate with a different capitalization
variant of the user's Windows domain\userid.

Our domain accounts are made Camel-Cased, i.e., LastnameFirstname. Since mod_svn_authz checks are
case sensitive and Windows domain/userids aren't, I have five capitalization variants for each user
in the mod_svn_authz access control file. I'm using group definitions and assign rights within the
repository by group. Users can be members of more than one group and thus may have access at a
point in the repository via multiple group access entries.

1. domain\lastnamefirstname
2. DOMAIN\lastnamefirstname
3. domain\LastnameFirstname
4. DOMAIN\LastnameFirstname

Currently, I'm leaning towards suspecting mod_svn_authz instead of TSVN's password caching because
sometimes we loose access to just one controlled folder within our repository. The Apache error log
has an authorized domain\userid identified when "access denied". On a couple of occasions, users
have tried to use TSVN's Repro-Broswer to "open" a repository file which just launches IE to open
the repository file URL and access is denied. IE somehow automatically forwards the
currently-logged-in domain/userid credentials separately from TSVN's cached userid/password (or are
they both using some Windows security API?).

I've just about completed moving three engineering groups over from Razor and VSS to SVN and this
issue pops up. I'd appreciate any help or suggestions that may be offered.

-Mike Kelley

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri May 27 17:53:50 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.