[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Mixing X.509 authentication and mod_authz_svn

From: Waldemar Gorus <gorusw_at_math.uni-muenster.de>
Date: 2004-12-17 09:51:59 CET


I need to use x.509 certificates for authentication (There is no other
way). I need authorization also and I need the ability of svn to log
the author of commited changes.

After reading the documentation I tried the following:

a) Using a long SSLRequire-conditionterm to represent authorisation.
Using SSLRequire I can realize as much as using mod_authz_svn. Unfortunately
the SSLRequire-string gets really long, complex and fault-prone finally.
But it works. As authorname the certificatesubject is logged

b) Using x.509 for authentication, but mod_authz_svn for
My idea was to use the certificatesubject as username in the
AuthzSVNAccessFile. The authentication works, but mod_authz_svn seems
to ignore the username and results in no access until I use the *=rw

Is b) wrong by concept or do I have a misconfiguration (httpd.conf at
the end of this mail)?

Part of the httpd.conf:

<Location /svn>
   DAV svn
   SVNPath /home/svn/usr/bin/repos

   AuthzSVNAccessFile /home/svn/usr/bin/cert/authzfile
   AuthType Basic
   AuthName "Subversion Gate"
   AuthUserFile /home/svn/usr/bin/cert/htpasswd
   SSLOptions +FakeBasicAuth

### This is a small SSLRequirestatement a)
# SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "TESTO_1" \
# and %{SSL_CLIENT_S_DN_OU} in {"TESTOU_4a", "TESTOU_5b"} ) \


The authzfile:

# * = rw #Uncommenting this line works :-)
"/C=de/ST=nrw/O=TESTO_1/OU=TESTOU_4a/CN=TESTCN_4a/emailAddress=TEST_4a@TEST.de" = r #This username is always ignored

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Dec 17 09:55:12 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.