[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Getting NT Authorization Right with mod_auth_sspi.so

From: Olivier Mascia <om_at_tipgroup.com>
Date: 2004-07-13 20:47:33 CEST

Hello,

On Tue, 13 Jul 2004 11:16:10 -0500,
Roehl, Dan wrote:

> It just plain is not working.
>
> Has anyone got this to work on a Win2k/sp3-4 box with Apache 2.0?

I just installed mine on a similar configuration today.

> Can you walk me through?

Not sure I can precisely walk you through it, but I can give you bits of
setup. All the svn bin and modules directory content is copied in a svn
folder under apache root folder. mod_sspi is copied to apache modules
subdir.

Here are the modules I load. Not all are required for svn of course. But
I list them all so that relative order is seen. mod_auth_sspi.co
_before_ mod_auth.so is a must.

LoadModule access_module modules/mod_access.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so

LoadModule sspi_auth_module modules/mod_auth_sspi.so

LoadModule auth_module modules/mod_auth.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so

LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so

LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule imap_module modules/mod_imap.so
LoadModule include_module modules/mod_include.so
LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule status_module modules/mod_status.so
LoadModule userdir_module modules/mod_userdir.so

LoadModule dav_svn_module svn/mod_dav_svn.so
LoadModule authz_svn_module svn/mod_authz_svn.so

Here is my httpd.conf setting:

<Location /svn>

        DAV svn
        SVNParentPath "D:\somepath\SVN"

        AuthType SSPI
        SSPIAuth On
        SSPIAuthoritative On
        SSPIDomain DOMAINNAME
        SSPIOfferBasic On
        
        AuthName "Subversion Repositories"
        AuthzSVNAccessFile "D:\somepath\SVN\svnaccessfile.txt"
        Require valid-user

</Location>

Here is my accessfile.txt content (well, updated for fake values):

--------------------------------
[groups]
developers = DOMAINNAME\Olivier,DOMAINNAME\Bob,DOMAINNAME\Peter
[test:/]
@developers = rw
--------------------------------

COMMENTS

(o) For DOMAINNAME, I use the short form (pre-windows 2000). The real
domain name is something like DOMAINNAME.lan.tipgroup.com. I use only
DOMAINNAME both in the httpd.conf file and in the accessfile.

(o) When specifying a user name in access file, I **HAVE TO** specify
the DOMAINNAME\user as above.

(o) As I used SVNParentPath (instead of SVNPath), my accessfile is used
for multiple repositories. I **HAVE TO** correctly use the notation
[repository:/path] to define my access rights. Anything else fails and
that is logical. The [test:/] specifies rights for the root directory of
the repository 'test' which is actually a subfolder of "D:\somepath\SVN".

(o) When typing the username in the auth dialog boxes, I **HAVE TO**
carefully respect the case. In the above example, wether in firefox, in
IE6 or in TortoiseSVN, I have to type "Olivier". The authentication of
the user on the domain does not care on the case of the username, but
the comparison to the accessfile *is* case-sensitive.

(o) I have had to unlock some accounts during the setup. When trying and
failing due to misconfiguration, it is easy to get an account locked out
and then have further tests fail while they would have else worked. ;-)

(o) The mod_sspi I currently use with the above working configuration is
the one coming from the tigris site:

http://tortoisesvn.tigris.org/mod_auth_sspi.zip

Hope this helps,

PS: I'm new to SubVersion server config (first time today). Though I
used TortoiseSVN for review for some months using local repositories.
I also routinely build my own Win32 apache 2.0 versions, including
openssl. This helps to get more confidence when doing configuration
steps.

-- 
Best Regards,
Olivier Mascia
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jul 13 20:47:45 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.