[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Windows AD authentication with SSPI

From: <jason_at_subversus.org>
Date: 2006-06-29 16:38:33 CEST

Well, you've added a ton of variables into your httpd.conf and
svnaccess.conf. In order to figure out problems start with something more
basic, get it working, and then add additional options until you get
everything you want. Having said that, start with the following:

 

Httpd.conf (replacing "MyDomain with your real domain name).

 

<Location /repos>
    dav svn
    SVNListParentPath on
    SVNParentPath "c:/svnrepos/"

    AuthName "Windows Authentication - SVN"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain <MyDomain>

    SSPIOfferBasic On

    SSPIOmitDomain On

    SSPIUsernameCase lower

    AuthzSVNAccessFile "c:/svnrepos/svnaccess.conf"
</Location>

 

And for svnaccess.conf .

 

[groups]
admin = user1, user2
bona-dev = user3

 

[/]
* = r
@admin = rw
@bona-dev = rw

 

 

From: Leathem, Steven [mailto:Steven.Leathem@phlx.com]
Sent: Thursday, June 29, 2006 10:07 AM
To: jason@subversus.org; dev@subversion.tigris.org
Subject: RE: Windows AD authentication with SSPI

 

Jason-

 

I've followed your advice, but I am now running into different issues.

 

My httpd.conf now includes:

 

<Directory "c:\svnrepos">
   AllowOverride None
    Options All
    Order allow,deny
    Allow from all
</Directory>

 

<Location /repos>
    dav svn
    SVNListParentPath on
    SVNParentPath "c:/svnrepos/"

 

    # our user authentication policy

 

    AuthName "Windows Authentication - SVN"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain <MyDomain>

 

    SSPIOfferBasic On #let non-IE clients authenticate
    SSPIOmitDomain On # keep domain name in userid string
                       # passed down to mod_authz_svn

 

    SSPIUsernameCase lower

 

    <LimitExcept GET PROPFIND OPTIONS REPORT>
     Satisfy Any
     Require valid-user
    </LimitExcept>

 

    # our access control policy enforced by mod_authz_svn
    AuthzSVNAccessFile "c:/svnrepos/svnaccess.conf"
</Location>

 

And my svnaccess.conf is as follows:

 

#access control file

 

[groups]
admin = user1, user2
bona-dev = user3

[/]
* = r
@admin = rw
@bona-dev = rw

[bona:/]
* = r
@bona-dev = rw
@admin = rw

[repos:/]
* = r
@bona-dev = rw
@admin = rw

 

If I use the default setup for Apache authentication, I am able to browse to
http://servername/repos/bona

...as normal. When I use the files above (with SSPI), I get a 500 -
Internal Server Error.

 

The error.log file displays the following:

 

[Thu Jun 29 09:29:27 2006] [error] [client 10.112.2.125] (20014)Error string
not specified yet: Can't open file 'c:\\svnrepos\\bona\\format': The system
cannot find the path specified.
[Thu Jun 29 09:29:27 2006] [error] [client 10.112.2.125] Could not fetch
resource information. [500, #0]
[Thu Jun 29 09:29:27 2006] [error] [client 10.112.2.125] Could not open the
requested SVN filesystem [500, #720003]
[Thu Jun 29 09:29:27 2006] [error] [client 10.112.2.125] Could not open the
requested SVN filesystem [500, #720003]

 

I appreciate your help with this.

 

Steve

 

 

 

 

  _____

From: jason@subversus.org [mailto:jason@subversus.org]
Sent: Wednesday, June 28, 2006 5:01 PM
To: jason@subversus.org; Leathem, Steven; dev@subversion.tigris.org
Subject: RE: Windows AD authentication with SSPI

I suppose if I had read your email better the first time, I'd have given a
better response. First, all of what I said earlier applies. However, in
addition, the problem is that you're not providing a full repository path.
The path to your repository, in your case is:

 

http:// <http://%3cservername%3e/repos/%3crepository>
<servername>/repos/<repository name>

 

It seems as though you're neglecting to add the actual name of your
repository.

 

 

From: jason@subversus.org [mailto:jason@subversus.org]
Sent: Wednesday, June 28, 2006 4:56 PM
To: 'Leathem, Steven'; 'dev@subversion.tigris.org'
Subject: RE: Windows AD authentication with SSPI

 

I would recommend

 

1) Turning SSPIOfferBasic "on" as the documentation recommends

2) Setting SSPIUsernameCase to "lower" which will ensure consistent
username case (always lower)

3) Setting SSPIOmitDomain to "on" which will strip the domain name from
the username.

 

Then for [groups], just list the usernames *all lowercase* and *domain name
omitted*.

 

This should take care of your issues.

 

 

From: Leathem, Steven [mailto:Steven.Leathem@phlx.com]
Sent: Wednesday, June 28, 2006 4:33 PM
To: dev@subversion.tigris.org
Subject: Windows AD authentication with SSPI

 

Hello-

My platform is:
- Windows Server 2003
- Apache 2.0.58
- SubVersion 1.3.0r17949 (installed with 1-Click setup)

I am trying to set up Active Directory authentication for the users. I've
found numerous web sites that have explained how to do this, but for some
reason, I can't seem to get this working.

I've downloaded the "mod_auth_sspi-1.0.4-2.0.58.zip" file from:
 <http://www.gknw.net/development/apache/httpd-2.0/win32/modules/>
http://www.gknw.net/development/apache/httpd-2.0/win32/modules/
...and copied the appropriate module file to Apache.

The applicable parts of the httpd.conf is below:

LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so

# subversion modules
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

# Windows authentication module
LoadModule sspi_auth_module modules/mod_auth_sspi.so

LoadModule auth_module modules/mod_auth.so

<Directory "c:\svnrepos">
   AllowOverride None
    Options All
    Order allow,deny
    Allow from all
</Directory>

<Location /repos>
    dav svn
    SVNListParentPath on
    SVNParentPath "c:/svnrepos/"

    AuthName "Windows Authentication - SVN"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain <domain name>

    <LimitExcept GET PROPFIND OPTIONS REPORT>
     Satisfy Any
     Require valid-user
    </LimitExcept>

    # our access control policy enforced by mod_authz_svn
    AuthzSVNAccessFile "c:/svnrepos/svnaccess.conf"
</Location>

My svnaccess.conf is as follows:

[groups]
admin = domain\username, domain//username, username

[/]
* = r
@admin = rw

I've tried several combinations of the domain\username, based on advice I've
heard on other web sites. The error I receive when browsing to the
repositoty is:

Forbidden
You don't have permission to access /repos/ on this server.

(I don't even get prompted for credentials.) I then see the following in
the error.log file:

[Wed Jun 28 16:23:01 2006] [error] [client (IP address)] The URI does not
contain the name of a repository. [403, #190001]

I am unable to log in via TortoiseSVN either. Any help is greatly
appreciated.

Steve

 
Received on Thu Jun 29 16:40:26 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.