[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Getting NT Authorization Right with mod_auth_sspi.so

From: Roehl, Dan <Dan.Roehl_at_austinenergy.com>
Date: 2004-07-13 18:16:10 CEST

So I have been trying to get mod_auth_sspi to authenticate me. I think that
this has really become an Apache issue rather than an SVN issue.

I have tried the package from:
http://www.deadbeef.com/software/sspi.html

As well as the package from:
http://www.gknw.net/development/apache/httpd-2.0/win32/modules/

It just plain is not working.

Has anyone got this to work on a Win2k/sp3-4 box with Apache 2.0?
Can you walk me through?

Here is my load module from conf:

LoadModule access_module modules/mod_access.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
#LoadModule auth_anon_module modules/mod_auth_anon.so
#LoadModule auth_dbm_module modules/mod_auth_dbm.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule headers_module modules/mod_headers.so
LoadModule imap_module modules/mod_imap.so
LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule status_module modules/mod_status.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
#LoadModule ssl_module modules/mod_ssl.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule sspi_auth_module modules/mod_auth_sspi.so <-- Docs suggested
placing toward end of list
LoadModule auth_module modules/mod_auth.so <-- Other docs suggested that
_auth_sspi.so need to be declared B4 mod_auth

Here is the relevant directory settings in conf
### DJR Subversion settings
 <Location /svn/repos>
  DAV svn
  SVNPath /svn/repos
  AuthzSVNAccessFile D:/Apache2/etc/svnaccessfile
  AuthName "Austin Energy Subversion Repositories"
  AuthType SSPI
  SSPIAuth On
  SSPIAuthoritative On
  SSPIOfferBasic On
  SSPIBasicPreferred On
 # SSPIOmitDomain On
  require valid-user
 </Location>

When uncommented SSPIOmitDomain Produces error: (invalid command
'SSPIOmitDomain', perhaps mis-spelled or defined by a module not included in
the server configuration)

Here is my svn acl:

[groups]
foo = myDomain\roehld

# [/]
# to allow everyone read access
# * = r

 [/]
# developers get read write to entire repository
@developers = rw

 [/svn/repos/app]
myDomain\roehld = rw

-----Original Message-----
From: Toby Johnson [mailto:toby@etjohnson.us]
Sent: Monday, July 12, 2004 6:08 PM
To: 'users@subversion.tigris.org'
Subject: Re: Getting NT Authorization Right with mod_auth_sspi.so

Roehl, Dan wrote:

>In my http.conf
>
>Where
>SSPIDomain <value>
>What should <value> be?
>I have tried:
>- The fully qual name of the domain controller itself
>- ip address of the controller
>- myDomain.net
>- myDomain
>
>
I use only "myDomain", i.e. the part you see before the backslash when
logged in and you hit CTRL+ALT+DEL.

>None seem to work. Also placing the directive
>SSPIOmitDomain on
>In httpd hoses the service completely (won't even start).
>
>
Use the version of the SSPI module from this website:
http://www.deadbeef.com/software/sspi.html and try the "SSPIOmitDomain
On" again. Then get rid of the domain\ in your AuthZ file, leaving only
the username. You don't want that ugly "domain\user" in all your
logfiles anyway!

The password special char problem only happened to me with the Unix
client on HP-UX; I've never had problems on Windows so it's probably
something particular to that platform.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jul 13 18:18:01 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.