> -----Original Message-----
> From: Bob Archer [mailto:Bob.Archer_at_amsi.com]
> Sent: woensdag 11 augustus 2010 15:42
> To: Branko Čibej; dev_at_subversion.apache.org
> Subject: RE: Bikeshed: configuration override order
>
> > On 11.08.2010 11:05, Bolstridge, Andrew wrote:
> > > The second aspect: client-stored passwords, this isn't so much
> > about storing them on the client but about having different ones.
> > Enterprises want single-signon, ie, a single password, centrally
> > held, that is used for all apps. They don't really care about
> > storing it locally so much as caring when Mildred calls the
> > helpdesk to say her password doesn’t work only to find she's
> > changed her main login but her svn password is the old, different
> > one. I don't think there's much to do here, except to get LDAP
> > working. Fortunately, VisualSVN allows integrated authentication
> > with Active Directory, and most enterprises still use Windows.
> > >
> >
> > What has that got to do with anything? You stock plain-vanilla
> > Subversion server can integrate with Active Directory just fine, if
> > you're serving via Apache. You don't need VisualSVN for that. So a
> > password update will change the SVN password, said user will
> > receive a
> > password prompt from the Subversion client *once*, and SVN will
> > presumably store that password securely (at least, it will on
> > Windows).
> >
> > -- Brane
>
> I've never used LDAP but doesn't windows handle passing credentials tokens
> in the background... you should never be prompted for credentials is you are
> using LDAP other than when you sign into your windows/domain account.
LDAP is a directory protocol; it allows to verify and get information about tokens.
SSPI (as implemented by mod_auth_sspi, neon and serf) handles the logon without asking for credentials.
If you want to check group membership and other details you can combine these two systems. (That is how I configured it at TCG).
Bert
Received on 2010-08-11 15:58:04 CEST