Hello,
I need to use x.509 certificates for authentication (There is no other
way). I need authorization also and I need the ability of svn to log
the author of commited changes.
After reading the documentation I tried the following:
a) Using a long SSLRequire-conditionterm to represent authorisation.
Using SSLRequire I can realize as much as using mod_authz_svn. Unfortunately
the SSLRequire-string gets really long, complex and fault-prone finally.
But it works. As authorname the certificatesubject is logged
(FakeBasicAuth)
b) Using x.509 for authentication, but mod_authz_svn for
authorization.
My idea was to use the certificatesubject as username in the
AuthzSVNAccessFile. The authentication works, but mod_authz_svn seems
to ignore the username and results in no access until I use the *=rw
statement.
Is b) wrong by concept or do I have a misconfiguration (httpd.conf at
the end of this mail)?
ciao
Waldemar
Part of the httpd.conf:
<Location /svn>
DAV svn
SVNPath /home/svn/usr/bin/repos
AuthzSVNAccessFile /home/svn/usr/bin/cert/authzfile
AuthType Basic
AuthName "Subversion Gate"
AuthUserFile /home/svn/usr/bin/cert/htpasswd
SSLOptions +FakeBasicAuth
### This is a small SSLRequirestatement a)
# SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "TESTO_1" \
# and %{SSL_CLIENT_S_DN_OU} in {"TESTOU_4a", "TESTOU_5b"} ) \
# or %{REQUEST_METHOD} in {"GET", "REPORT", "PROPFIND"}
</Location>
The authzfile:
[/]
# * = rw #Uncommenting this line works :-)
"/C=de/ST=nrw/O=TESTO_1/OU=TESTOU_4a/CN=TESTCN_4a/emailAddress=TEST_4a@TEST.de" = r #This username is always ignored
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Dec 17 09:55:12 2004