[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Combining SVN access rights with Active Directory authentication

From: Auke Jilderda <jilderda_at_dds.nl>
Date: 2006-01-04 22:29:21 CET

I'm trying to hook up Subversion and Apache2 to Microsoft Active Directory
but am struggling a bit with exactly what is and is not possible at
present. I was hoping you can help me clarify this.

I know Apache2 with Subversion can authenticate against a Microsoft Active
Directory service using the SSPI or NTLM module when running Apache on
Windows respectively UNIX. The SSPI module is currently not actively
maintained but the TortoiseSVN documentation includes a section on how to
configure it [1] while the NTLM project's home page [2] describes how to
configure the module.

This works although it leaves the challenge of getting clients other than
Microsoft Internet Explorer to actually ask for credentials. This can be
accomplished by having Apache use basic authentication for fetching the
credentials before using SSPI or NTLM for authenticating against Microsoft
Active Directory, adding the 'SSPIOfferBasic On' respectively
"NTLMBasicAuth On" directive. Hence, configuring the NTLM module for the
SVN location as follows works:
    AuthType NTLM
    AuthName "Bogus Repository"
    NTLMAuth On
    NTLMAuthoritative On
    NTLMDomain MSAD01
    NTLMserver wdc1
    NTLMBasicAuth On

So far so good but this naturally leads to a next question: Can I define
who has access to what using the user accounts and groups defined in the
Microsoft Active Directory?

I've searched and read up on the topic but am a bit at a loss with the
multiple authentication and authorisation modules out there and Apache 2.2
having things again refactored and would really appreciate some pointers.

Thanks,

Auke

 1. http://tortoisesvn.sourceforge.net/docs/release/TortoiseSVN_en/ch03.html#tsvn-serversetup-apache-5
 2. http://modntlm.sourceforge.net

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Jan 4 22:50:47 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.