[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Remaining issues in ra_serf-auth branch

From: Lieven Govaerts <lgo_at_mobsol.be>
Date: 2007-08-26 09:08:27 CEST

[Ivan asked me for an update on the status of the ra_serf-auth branch, I
think this is interesting for all devs]

Ivan Zhakov wrote:
> Hi Lieven,
>
> Can I help someway you with ra_serf-auth branch? I'd like see ra_serf
> SSPI authentication in svn 1.5.x.
First of all I'd like to have ra_serf pass all tests, which we're almost
there (3 tests for 2 small issues). But it's my goal too to have sspi
finished for 1.5. Your help is very much appreciated!

> Do you have list of remaining issues?
>

On a high level it should be:
- add ntlm proxy support
- add kerberos support (is also sspi, but Challenge authentication
instead of NTLM)
- test special server configurations. I only test with mod_authz_sspi on
my local machine, but things like guest account or not, fallback to
basic etc remain to be tested.
- check if issue 2807 impacts ra_serf/sspi
- fix the remaining test issues:

I brought the ra_serf-auth branch up to date with trunk and I'm testing
right now on my pc. I'm running the full testsuite but with sspi
enabled, so instead of using jrandom svn uses my local account. When the
tests are finished I'll send the list of failures to the dev list, I
don't expect to many.

There are a few general other issues I noticed during testing:
- 404 errors are not always handled. I've fixed some of those already
(add status_code to the parser_ctx), there probable are some other too.
- all request body's should be created through the body_delegate
mechanism (see http://svn.haxx.se/dev/archive-2007-08/0153.shtml). So
when a request results in a 401, the message is send again with correct
authentication. Problem is that at this time the body buckets are
already consumed and freed. This typically results in corrupt data in
random places or double free aborts. These are issues you can't find in
testing, because they depend on the apache configuration etc.

There are two patches on the serf-dev list that remain to be committed,
I won't merge the ra_serf-auth branch back to trunk before those patches
are included in a new serf release, if you can review them (and commit)
them that would be nice. Justin has offered me commit access to serf,
two weeks ago, but I'm still waiting for the apache org to handle my ICLA.

So, if you want to run and test the ra_serf-auth code, you'll need the
two patches I sent to the serf list (two for serf, one for ra_serf),
attached patch for correct pool usage (didn't commit yet cause I don't
know the exact reason why it fails yet) and a correct apache config.

For apache I use mod_auth_sspi-1.0.4 and configuration like this:
<Location /svn-test-work/repositories>
 DAV svn
 SVNParentPath C:\..\svn-test-work/repositories
 AuthzSVNAccessFile C:\../svn-test-work/authz
 AuthType SSPI
 SSPIAuth On
 AuthName "Subversion Repository"
 AuthUserFile "C:\Program Files\Apache Group\Apache2\conf.d/users"
 Require valid-user
</Location>

<Location /svn-test-work/local_tmp/repos>
 DAV svn
 SVNPath C:\..\svn-test-work/local_tmp/repos
 AuthzSVNAccessFile C:\..\svn-test-work/authz
 AuthType SSPI
 SSPIAuth On
 AuthName "Subversion Repository"
 AuthUserFile "C:\Program Files\Apache Group\Apache2\conf.d/users"
 Require valid-user
</Location>

Lieven

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Aug 26 09:03:00 2007

This is an archived mail posted to the Subversion Dev mailing list.