[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: AW: mod_authz_svn + ssl + certificates doesn't work?

From: Ben Collins-Sussman <sussman_at_collab.net>
Date: 2004-03-30 15:17:13 CEST

Hunkel, Manfred wrote:
> ad (1): Correct. Using basic authentication, you must have a htpasswd-file.

Correct.

>
> ad (2): Anybody else reading this? Correct me if I'm mistaken here, but
> the mechanism of authz_svn always requires a username (possibly a member of
> a group as defined in its access file), no matter how this name is being obtained.
> In other words: No username, no authorisation check via authz_svn.

Correct. This is a flaw in apache2.0's design, and is corrected in
apache2.1.

> What you're looking for is a piece of magic that, given a certificate, pulls an associated
> username out of its hat in order to enable authorisation. Correct?

Hermann: I think what you want is the +FakeBasicAuth option for SSL
certificates. Read all about it in the apache docs. After a client
certificate is verified, a Basic Auth header is "added" the request
which contains the cert's DN. That allows authorization modules to
work. It means you need to write your access file using DNs.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Mar 30 15:18:23 2004

This is an archived mail posted to the Subversion Users mailing list.