Jason-
I've followed your advice, but I am now running into different issues.
My httpd.conf now includes:
<Directory "c:\svnrepos">
AllowOverride None
Options All
Order allow,deny
Allow from all
</Directory>
<Location /repos>
dav svn
SVNListParentPath on
SVNParentPath "c:/svnrepos/"
# our user authentication policy
AuthName "Windows Authentication - SVN"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain <MyDomain>
SSPIOfferBasic On #let non-IE clients authenticate
SSPIOmitDomain On # keep domain name in userid string
# passed down to mod_authz_svn
SSPIUsernameCase lower
<LimitExcept GET PROPFIND OPTIONS REPORT>
Satisfy Any
Require valid-user
</LimitExcept>
# our access control policy enforced by mod_authz_svn
AuthzSVNAccessFile "c:/svnrepos/svnaccess.conf"
</Location>
And my svnaccess.conf is as follows:
#access control file
[groups]
admin = user1, user2
bona-dev = user3
[/]
* = r
@admin = rw
@bona-dev = rw
[bona:/]
* = r
@bona-dev = rw
@admin = rw
[repos:/]
* = r
@bona-dev = rw
@admin = rw
If I use the default setup for Apache authentication, I am able to browse to
http://servername/repos/bona <http://servername/repos/bona>
...as normal. When I use the files above (with SSPI), I get a 500 -
Internal Server Error.
The error.log file displays the following:
[Thu Jun 29 09:29:27 2006] [error] [client 10.112.2.125] (20014)Error string
not specified yet: Can't open file 'c:\\svnrepos\\bona\\format': The system
cannot find the path specified.
[Thu Jun 29 09:29:27 2006] [error] [client 10.112.2.125] Could not fetch
resource information. [500, #0]
[Thu Jun 29 09:29:27 2006] [error] [client 10.112.2.125] Could not open the
requested SVN filesystem [500, #720003]
[Thu Jun 29 09:29:27 2006] [error] [client 10.112.2.125] Could not open the
requested SVN filesystem [500, #720003]
I appreciate your help with this.
Steve
_____
From: jason@subversus.org [mailto:jason@subversus.org]
Sent: Wednesday, June 28, 2006 5:01 PM
To: jason@subversus.org; Leathem, Steven; dev@subversion.tigris.org
Subject: RE: Windows AD authentication with SSPI
I suppose if I had read your email better the first time, I'd have given a
better response. First, all of what I said earlier applies. However, in
addition, the problem is that you're not providing a full repository path.
The path to your repository, in your case is:
http://<servername>/repos/<repository name>
It seems as though you're neglecting to add the actual name of your
repository.
From: jason@subversus.org [mailto:jason@subversus.org]
Sent: Wednesday, June 28, 2006 4:56 PM
To: 'Leathem, Steven'; 'dev@subversion.tigris.org'
Subject: RE: Windows AD authentication with SSPI
I would recommend
1) Turning SSPIOfferBasic "on" as the documentation recommends
2) Setting SSPIUsernameCase to "lower" which will ensure consistent
username case (always lower)
3) Setting SSPIOmitDomain to "on" which will strip the domain name from
the username.
Then for [groups], just list the usernames *all lowercase* and *domain name
omitted*.
This should take care of your issues.
From: Leathem, Steven [mailto:Steven.Leathem@phlx.com]
Sent: Wednesday, June 28, 2006 4:33 PM
To: dev@subversion.tigris.org
Subject: Windows AD authentication with SSPI
Hello-
My platform is:
- Windows Server 2003
- Apache 2.0.58
- SubVersion 1.3.0r17949 (installed with 1-Click setup)
I am trying to set up Active Directory authentication for the users. I've
found numerous web sites that have explained how to do this, but for some
reason, I can't seem to get this working.
I've downloaded the "mod_auth_sspi-1.0.4-2.0.58.zip" file from:
<http://www.gknw.net/development/apache/httpd-2.0/win32/modules/>
http://www.gknw.net/development/apache/httpd-2.0/win32/modules/
...and copied the appropriate module file to Apache.
The applicable parts of the httpd.conf is below:
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
# subversion modules
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
# Windows authentication module
LoadModule sspi_auth_module modules/mod_auth_sspi.so
LoadModule auth_module modules/mod_auth.so
<Directory "c:\svnrepos">
AllowOverride None
Options All
Order allow,deny
Allow from all
</Directory>
<Location /repos>
dav svn
SVNListParentPath on
SVNParentPath "c:/svnrepos/"
AuthName "Windows Authentication - SVN"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain <domain name>
<LimitExcept GET PROPFIND OPTIONS REPORT>
Satisfy Any
Require valid-user
</LimitExcept>
# our access control policy enforced by mod_authz_svn
AuthzSVNAccessFile "c:/svnrepos/svnaccess.conf"
</Location>
My svnaccess.conf is as follows:
[groups]
admin = domain\username, domain//username, username
[/]
* = r
@admin = rw
I've tried several combinations of the domain\username, based on advice I've
heard on other web sites. The error I receive when browsing to the
repositoty is:
Forbidden
You don't have permission to access /repos/ on this server.
(I don't even get prompted for credentials.) I then see the following in
the error.log file:
[Wed Jun 28 16:23:01 2006] [error] [client (IP address)] The URI does not
contain the name of a repository. [403, #190001]
I am unable to log in via TortoiseSVN either. Any help is greatly
appreciated.
Steve
Received on Thu Jun 29 16:07:27 2006