If the posted file is correct, group members should be specified as
domainname\username
unless you decide to strip domainname using proper sspi directive in apache conf.
I think that the domainname case specified in SSPIDomain <domain> should be used
to qualify svn subjects.
I use this too in apache conf:
SSPIOfferBasic On
because svn clients have no support for NTLM authentication protocol.
Guido.
> -----Original Message-----
> From: Michael Kelley [mailto:michael.kelley@argonst.com]
> Sent: Tuesday, November 16, 2004 11:40 PM
> To: users@subversion.tigris.org
> Subject: WebDAV access control on Windows domains
>
>
> I'm in the final stages of setting up a test server for our
> developer's changeover to Subversion. Server is running Windows 2000
> Server SP4 with Apache 2.0.52 as domain member server. I've got
> mod_auth_sspi, mod_dav_fs, mod_dav_svn, and mod_authz_svn loaded and
> seemingly running OK. Got a repository parent directory set up with a
> few repositories underneath. What I was hoping I could do is use the
> SSPI authentication results in mod_authz_svn to control
> directory-level access rights via AuthzSVNAccessFile. Just to get
> started, I've got:
>
> Apache httpd.conf contains in the global section:
> -----
> #
> # Here's the container for Subversion
> #
> LoadModule dav_svn_module modules/mod_dav_svn.so
> LoadModule authz_svn_module modules/mod_authz_svn.so
> <Location "/svn">
> dav svn
> SVNParentPath "d:/svndav/repository"
>
> # our access control policy
> AuthzSVNAccessFile "d:/svndav/svnaccess.conf"
>
>
> # our user authentication policy
> AuthType SSPI
> SSPIAuth On
> SSPIAuthoritative On
> </Location>
> -----
>
> d:/svndav/svnaccess.conf contains
> ----------
> # svnaccess.conf
> # This file determines the user authorizations for the various svn
> repositories and trees
>
> [groups]
> commsdev = mydomainname/mydomainusername
>
> #[/]
> #* = r
>
> [comms1:/]
> @commsdev = rw
>
> <<other repository root entries snipped>>
> -----
>
> I'm pretty sure that SSPI is picking up my domain and userid OK (a
> served web site that also uses SSPI has a Perl script that correctly
> displays domain and userid). If I uncomment the [/] entry, I have
> read-only access the repositories with IE. Commented out I have no
> access. Anyone reading this got domain-level authentication working
> thru to mod_authz_svn for directory-level control? How did you
> configure things?
>
> Thanks,
> -Mike Kelley
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Nov 17 09:10:18 2004