[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Re: TSVN & Apache & SSPI & SSL problems

From: Gillis, Paul <pgillis_at_insight-tek.com>
Date: Wed, 22 Oct 2008 08:25:53 -0400

Hi Stefen,

Thanks for your all your help. I now have TSVN authenticating to the domain without being prompted for a username and password. And I've got folder level restrictions working with AuthzSVNAccessFile. Here's my httpd.conf file.

<Location /svn>
        DAV svn
        SVNListParentPath on
        SVNParentPath //netapp/svn$/
        AuthType SSPI
        SSPIAuth On
        SSPIAuthoritative On
        SSPIDomain ns
        SSPIOmitDomain on
        SSPIUsernameCase lower
        SSPIPerRequestAuth on
        SSPIOfferBasic On
        AuthName "Subversion repositories"
        AuthzSVNAccessFile conf/svnaccessfile
        Require valid-user
</Location>

And here is my svnaccess file.

[groups]
admin = gillis_p, patel_n
eng = brock_c, cusson_e, depaula_g, drewn_j, gauvin_g,
#
# Default access rule for ALL repositories
# Everyone can read, admins can write, Dan German is excluded.
[/]
* = r
@admin = rw
dangerman =
#
# Allow developers complete access to their project repos
#
[test:/]
@admin= rw
brock_c = rw

But now, IE will not let me browse the directory of repositories even though it will let me browse individual repositories! That seems rather odd. It was working before I added the AuthzSVNAccessFile directive. I now get "HTTP Error 403 - Forbidden - You are not authorized to view this page." The error.log contains "[error] [client 10.13.100.222] The URI does not contain the name of a repository. [403, #190001]."

Somebody else reported this in the mail archive a couple of years back and nobody responded with a solution. I know it's not a TSVN problem, per se, but you seem to have the answers to most of the issues I've encountered so far. Any help would be appreciated.

Thanks!

>-----Original Message-----
>From: Stefan Küng [mailto:tortoisesvn_at_gmail.com]
>Sent: Friday, October 17, 2008 2:07 PM
>To: users_at_tortoisesvn.tigris.org
>Subject: Re: TSVN & Apache & SSPI & SSL problems
>
>Gillis, Paul wrote:
>
>> I was mistakenly under the impression that I had to enable SSPI to
>> use Windows domain authentication. It's just the way I read it in
>> the manual. So if I understand correctly, mod_auth_sspi with AuthType
>> SSPI would have tried to authenticate me without prompting for
>> username and password again and with AuthType Basic it will instead
>> always prompt me for a username and password. Is that right? What I
>> want to avoid are anonymous commits by anybody. That's why I was
>> tying to force SSPI.
>
>You could also leave it as it is now. TSVN will first try SSPI, and if
>that doesn't work it falls back to basic authentication with your
>domain. From your last mail it seems that this works already.
>
>>>> I now realize that https from the Subversion client also gives me
>>>> a certificate error: "The certificate is not issued by a trusted
>>>> authority. Use the fingerprint to validate the certificate
>>>> manually!" I generated the certificate following the instructions
>>>> in 3.1.7 of the manual. Are they incorrect or incomplete? What
>>>> do I have to do to generate a trustworthy certificate that
>>>> subversion and TSVN will accept?
>>> You would have to buy a certificate from a trusted company, a so
>>> called "certificate authority":
>>> http://support.microsoft.com/kb/931125
>>
>> It looks like I can choose to accept the untrusted certificate
>> permanently and not be bothered by this. Or, if I disable SSPI, I
>> should not see it at all.
>
>That has nothing to do with SSPI. Well, at least not much :)
>You would also get this dialog for 'normal' https connections where you
>don't even have authentication set up. But since you're using http, it's
>really SSPI which triggers this (at least I assume, I don't know how
>your domain controller is set up).
>And yes, you can permanently accept this certificate and then you won't
>get bothered again.
>Or, you could install your manually created certificate on all client
>machines.
>
>Stefan
>
>--
> ___
> oo // \\ "De Chelonian Mobile"
> (_,\/ \_/ \ TortoiseSVN
> \ \_/_\_/> The coolest Interface to (Sub)Version Control
> /_/ \_\ http://tortoisesvn.net

This e-mail message and all attachments thereto may contain technical data that is subject to export control regulations, or confidential material, and is for the sole use of the intended recipients. Review, dissemination, or other use by anyone else is prohibited. If you are not an intended recipient, please contact the sender and delete all copies.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_tortoisesvn.tigris.org
For additional commands, e-mail: users-help_at_tortoisesvn.tigris.org
Received on 2008-10-22 14:26:02 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.