[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Apache2.0/Windows domain authentication and access control info

From: Michael Kelley <michael.kelley_at_argonst.com>
Date: 2004-11-18 19:22:05 CET

I have configured an Apache 2.0.52 server for Subversion 1.1.1 running
Windows 2000 Server SP4 domain member server. I want to use domain
accounts to authenticate users and authorize access into my
repositories. I finally got it working so I thought I'd share what I
learned.

I'm using the modified mod_auth_sspi module from
http://www.deadbeef.com/software/sspi.html instead of the module
distributed with Apache. I'm also loading the mod_authz_svn module
that comes with the Windows binaries for Subversion.

My httpd.conf file contains this for my repository location:
<Location "/svndav">
    dav svn
    SVNParentPath "d:/svndav/repository"

    # our user authentication policy
    AuthName "SVN Server"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain MYDOMAINNAME
    #SSPIOmitDomain On # keep domain name in userid string passed
down to mod_authz_svn
    #Require valid-user # A Require directive may? prevent userid
strings from being passed down to mod_authz_svn

    # our access control policy enforced by mod_authz_svn
    AuthzSVNAccessFile "d:/svndav/svnaccess.conf"
</Location>

What I found is that my AuthzSVNAccessFile needs to have
MYDOMAINNAME\UserId account names in a precise, case-sensitive form.
The domain name or machine name (for local user accounts) seems to
always come down in all CAPS. The usrid account names are also case
sensitive. In my case, some domain accounts were prepared as
LastnameFirstname (camel caps) while others were all lower case. Use
a single backslash to separate MYDOMAINNAME\UserId. The mod_authz_svn
checks are obviously case-sensitive and you need to match character
case exactly

I rebuilt mod_auth_sspi so I could log exactly what it thought the
user account names were and was thinking of just forcing all domain
and user names to lower case and then just specifying them as lower
case only in the AuthzSVNAccessFile. I'd rather change mod_authz_svn
so that it does case-insensitive compares under Windows which is how
account names are handled and specified to work. I hope the
path\filename compares are case-insensitive under Windows -- I haven't
tested anything but lowercase paths yet.

Hope this can help anyone else struggling with Windows domain account
access control.

-Mike Kelley

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Nov 18 19:23:24 2004

This is an archived mail posted to the Subversion Users mailing list.