[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Windows AD authentication with SSPI

From: <jason_at_subversus.org>
Date: 2006-06-28 22:55:50 CEST

I would recommend

 

1) Turning SSPIOfferBasic "on" as the documentation recommends

2) Setting SSPIUsernameCase to "lower" which will ensure consistent
username case (always lower)

3) Setting SSPIOmitDomain to "on" which will strip the domain name from
the username.

 

Then for [groups], just list the usernames *all lowercase* and *domain name
omitted*.

 

This should take care of your issues.

 

 

From: Leathem, Steven [mailto:Steven.Leathem@phlx.com]
Sent: Wednesday, June 28, 2006 4:33 PM
To: dev@subversion.tigris.org
Subject: Windows AD authentication with SSPI

 

Hello-

My platform is:
- Windows Server 2003
- Apache 2.0.58
- SubVersion 1.3.0r17949 (installed with 1-Click setup)

I am trying to set up Active Directory authentication for the users. I've
found numerous web sites that have explained how to do this, but for some
reason, I can't seem to get this working.

I've downloaded the "mod_auth_sspi-1.0.4-2.0.58.zip" file from:
 <http://www.gknw.net/development/apache/httpd-2.0/win32/modules/>
http://www.gknw.net/development/apache/httpd-2.0/win32/modules/
...and copied the appropriate module file to Apache.

The applicable parts of the httpd.conf is below:

LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so

# subversion modules
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

# Windows authentication module
LoadModule sspi_auth_module modules/mod_auth_sspi.so

LoadModule auth_module modules/mod_auth.so

<Directory "c:\svnrepos">
   AllowOverride None
    Options All
    Order allow,deny
    Allow from all
</Directory>

<Location /repos>
    dav svn
    SVNListParentPath on
    SVNParentPath "c:/svnrepos/"

    AuthName "Windows Authentication - SVN"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain <domain name>

    <LimitExcept GET PROPFIND OPTIONS REPORT>
     Satisfy Any
     Require valid-user
    </LimitExcept>

    # our access control policy enforced by mod_authz_svn
    AuthzSVNAccessFile "c:/svnrepos/svnaccess.conf"
</Location>

My svnaccess.conf is as follows:

[groups]
admin = domain\username, domain//username, username

[/]
* = r
@admin = rw

I've tried several combinations of the domain\username, based on advice I've
heard on other web sites. The error I receive when browsing to the
repositoty is:

Forbidden
You don't have permission to access /repos/ on this server.

(I don't even get prompted for credentials.) I then see the following in
the error.log file:

[Wed Jun 28 16:23:01 2006] [error] [client (IP address)] The URI does not
contain the name of a repository. [403, #190001]

I am unable to log in via TortoiseSVN either. Any help is greatly
appreciated.

Steve

 
Received on Wed Jun 28 22:59:15 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.