[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: TortoiseSVN - Delegate kerberos credential

From: Ed Smith <kedward777_at_gmail.com>
Date: Fri, 18 Dec 2015 16:06:29 +0000 (UTC)

Ionut Craciunescu <icraciunescu@...> writes:

>
> Hello,
>
> I setup our SVN server for AD SSO by using Apache, DAV module, keberos
authentication and ldap
> authorization.
>
> The goal is to have full AD integration: SSO on user side (implies
kerberos authentication) and use AD
> groups for authorization.
>
> From functionality point of view, everything works just fine, we have full
AD SSO, users are able to do all
> required actions and we are able to use AD groups for authorization.
>
> The downside of this setup is that Kerberos authentication induces an
observable slowness when a
> commit\checkout of a large number of files takes places. Authentication is
performed for each file that
> has to be committed\checked out.
>
> I was wondering if enabling kerberos credential saving (KrbSaveCredentials
On) on server side will speed
> up things.
>
> I configured the server for credential saving. For example when I access
the repo via browser I can see the
> credentials being cached on the server and in the server logs the message
"the client delegate us their
> credential" .
>
> But when I access the repo via TortoiseSVN, kerberos credentials are not
saved on the server; the client
> does not delegate\forward credentials. Is this something that can be
configured on TortoiseSVN side ?
>
> Do other users reported any slowness when using Kerberos auth ?
>
> Regards,
> Ionut
>
> ------------------------------------------------------
> http://tortoisesvn.tigris.org/ds/viewMessage.do?
dsForumId=4061&dsMessageId=3112586
>
> To unsubscribe from this discussion, e-mail: [users-unsubscribe@...].
>
>

Hello,

Could you share more about how you set up SVN+Apache+Kerberos and your
integration with Tortise SVN? What versions? Did you follow a web doc
somewhere?

I installed
Subversion 1.8.14
Apache 2.4.17
mod_auth_kerb-5.4

When I use TSVN I can only pull up the list of projects in my repo, if I
try to descend into the projects it does not seem to send the kerberos
ticket/credential. TSVN only sends the kerberos ticket with the call to the
root of the repo, but not for projects in the repo.

I get "unable to connect to repository at URL......." I see no credential
sent:

133.6.84.222 - sandym [16/Dec/2015:15:13:21 -0500] "OPTIONS /cm_repo1
HTTP/1.1" 200 188
133.6.84.222 - sandym [16/Dec/2015:15:13:21 -0500] "PROPFIND
/cm_repo1/!svn/rvr/2245 HTTP/1.1" 207 326
133.6.84.222 - sandym [16/Dec/2015:15:13:21 -0500] "PROPFIND
/cm_repo1/!svn/rvr/2245 HTTP/1.1" 207 1281
133.6.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS
/cm_repo1/visitor_PRODUCTION HTTP/1.1" 401 381
133.6.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS
/cm_repo1/cdb_PRODUCTION HTTP/1.1" 401 381
133.6.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS /cm_repo1/cdb
HTTP/1.1" 401 381
133.6.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS /cm_repo1/shibsso
HTTP/1.1" 401 381
133.6.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS /cm_repo1/cdb_TEST
HTTP/1.1" 401 381
133.6.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS /cm_repo1/testproj
HTTP/1.1" 401 38

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3151301

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2015-12-18 17:10:17 CET

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.