[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Getting NT Authorization Right with mod_auth_sspi.so

From: Mark Bohlman <mbohlman_at_tcicredit.com>
Date: 2004-07-13 18:34:46 CEST

Roehl, Dan wrote:
> So I have been trying to get mod_auth_sspi to authenticate me. I think that
> this has really become an Apache issue rather than an SVN issue.
>
> I have tried the package from:
> http://www.deadbeef.com/software/sspi.html
>
> As well as the package from:
> http://www.gknw.net/development/apache/httpd-2.0/win32/modules/
>
> It just plain is not working.
>
> Has anyone got this to work on a Win2k/sp3-4 box with Apache 2.0?
> Can you walk me through?
>
> Here is my load module from conf:
>
> LoadModule access_module modules/mod_access.so
> LoadModule actions_module modules/mod_actions.so
> LoadModule alias_module modules/mod_alias.so
> LoadModule asis_module modules/mod_asis.so
> #LoadModule auth_anon_module modules/mod_auth_anon.so
> #LoadModule auth_dbm_module modules/mod_auth_dbm.so
> #LoadModule auth_digest_module modules/mod_auth_digest.so
> LoadModule autoindex_module modules/mod_autoindex.so
> #LoadModule cern_meta_module modules/mod_cern_meta.so
> LoadModule cgi_module modules/mod_cgi.so
> LoadModule dav_module modules/mod_dav.so
> LoadModule dav_fs_module modules/mod_dav_fs.so
> LoadModule dir_module modules/mod_dir.so
> LoadModule env_module modules/mod_env.so
> #LoadModule expires_module modules/mod_expires.so
> #LoadModule file_cache_module modules/mod_file_cache.so
> #LoadModule headers_module modules/mod_headers.so
> LoadModule imap_module modules/mod_imap.so
> LoadModule include_module modules/mod_include.so
> #LoadModule info_module modules/mod_info.so
> LoadModule isapi_module modules/mod_isapi.so
> LoadModule log_config_module modules/mod_log_config.so
> LoadModule mime_module modules/mod_mime.so
> #LoadModule mime_magic_module modules/mod_mime_magic.so
> #LoadModule proxy_module modules/mod_proxy.so
> #LoadModule proxy_connect_module modules/mod_proxy_connect.so
> #LoadModule proxy_http_module modules/mod_proxy_http.so
> #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
> LoadModule negotiation_module modules/mod_negotiation.so
> #LoadModule rewrite_module modules/mod_rewrite.so
> LoadModule setenvif_module modules/mod_setenvif.so
> #LoadModule speling_module modules/mod_speling.so
> #LoadModule status_module modules/mod_status.so
> #LoadModule unique_id_module modules/mod_unique_id.so
> LoadModule userdir_module modules/mod_userdir.so
> #LoadModule usertrack_module modules/mod_usertrack.so
> #LoadModule vhost_alias_module modules/mod_vhost_alias.so
> #LoadModule ssl_module modules/mod_ssl.so
> LoadModule dav_svn_module modules/mod_dav_svn.so
> LoadModule authz_svn_module modules/mod_authz_svn.so
> LoadModule sspi_auth_module modules/mod_auth_sspi.so <-- Docs suggested
> placing toward end of list
> LoadModule auth_module modules/mod_auth.so <-- Other docs suggested that
> _auth_sspi.so need to be declared B4 mod_auth
>
>
> Here is the relevant directory settings in conf
> ### DJR Subversion settings
> <Location /svn/repos>
> DAV svn
> SVNPath /svn/repos
> AuthzSVNAccessFile D:/Apache2/etc/svnaccessfile
> AuthName "Austin Energy Subversion Repositories"
> AuthType SSPI
> SSPIAuth On
> SSPIAuthoritative On
> SSPIOfferBasic On
> SSPIBasicPreferred On
> # SSPIOmitDomain On
> require valid-user
> </Location>
>
> When uncommented SSPIOmitDomain Produces error: (invalid command
> 'SSPIOmitDomain', perhaps mis-spelled or defined by a module not included in
> the server configuration)
>
> Here is my svn acl:
>
> [groups]
> foo = myDomain\roehld
>
> # [/]
> # to allow everyone read access
> # * = r
>
> [/]
> # developers get read write to entire repository
> @developers = rw
>
> [/svn/repos/app]
> myDomain\roehld = rw
>
>
> -----Original Message-----
> From: Toby Johnson [mailto:toby@etjohnson.us]
> Sent: Monday, July 12, 2004 6:08 PM
> To: 'users@subversion.tigris.org'
> Subject: Re: Getting NT Authorization Right with mod_auth_sspi.so
>
> Roehl, Dan wrote:
>
>
>>In my http.conf
>>
>>Where
>>SSPIDomain <value>
>>What should <value> be?
>>I have tried:
>>- The fully qual name of the domain controller itself
>>- ip address of the controller
>>- myDomain.net
>>- myDomain
>>
>>
>
> I use only "myDomain", i.e. the part you see before the backslash when
> logged in and you hit CTRL+ALT+DEL.
>
>
>>None seem to work. Also placing the directive
>>SSPIOmitDomain on
>>In httpd hoses the service completely (won't even start).
>>
>>
>
> Use the version of the SSPI module from this website:
> http://www.deadbeef.com/software/sspi.html and try the "SSPIOmitDomain
> On" again. Then get rid of the domain\ in your AuthZ file, leaving only
> the username. You don't want that ugly "domain\user" in all your
> logfiles anyway!
>
> The password special char problem only happened to me with the Unix
> client on HP-UX; I've never had problems on Windows so it's probably
> something particular to that platform.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org

Here is one that works for me:
<Location "/repos">
   AuthType SSPI
   SSPIAuth On
   SSPIAuthoritative On
   SSPIDomain "DOMAIN-A"
   SSPIOmitDomain On
   SSPIOfferBasic On
   AuthName "Project"
   Require valid-user
</Location>

Note that I am NOT using the "AuthzSVNAccessFile" setting as you do -
could this be conflicting?
-- Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jul 13 18:35:40 2004

This is an archived mail posted to the Subversion Users mailing list.