[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: subversion authentication options

From: Kevin T. Broderick <kbroderick_at_boltonvalley.com>
Date: 2005-02-24 18:46:52 CET

On Feb 24, 2005, at 12:01 PM, Brad O'Hearne wrote:

> I am using subversion installed on fedora core 3 linux with the apache
> access option. I would really like not to have to manually manage
> passwords -- aside from the obvious admin overhead, the notion of
> managing passwords manually is somewhat ridiculous -- having to let
> someone else know what your password is in order to manage it defeats
> much of the purpose of having a password. Anyway, I have run across
> this link from the FAQ:
> http://tortoisesvn.tigris.org/docs/TortoiseSVN_en/ch03.html#tsvn-
> serversetup-apache-5
> which allows authentication against a Windows domain controller, which
> we have. I tried installing this, but it appears that this doesn't
> work on Linux, but only on a Windows box. If anyone has a version of
> this that works on linux, or have gotten this working on linux, let me
> know.
> Are there any other options for letting users manage their own
> passwords?

Yup. I've got svn and trac setup via Apache https with Basic HTTP Auth
and mod_auth_pam, which allows authentication passthrough to the PAM
system. In turn, I've got PAM set up to do auth via winbind to our AD
controller. All of this is on debian sarge, and it was generally
fairly easy. I'm meaning to write it up sooner or later (preferably
after verifying the steps work on a clean install on a test box), but
it basically boils down to (after having svn setup via http with no
1. aptitude install winbind libapache2-mod-auth-pam
2. Edit /etc/samba/smb.conf to reflect your setup; googling for "Linux
auth to Active Directory winbind" should turn up useful examples
3. Join your Linux box as a member server of the AD domain via "net
join" (I forget the syntax off the top of my head, Google will turn it
4. Verify that you can get info via winbind's wbinfo -g command
5. Edit /etc/pam.d/common-auth and common-account files; I added "auth
    sufficient pam_winbind.so" and "account sufficient
pam_winbind.so" to each, respectively.
5a. Add "session required pam_mkhomedir.so skel=/etc/skel
umask=0022" to common-session if you want to automagically create home
directories for users.
(NOTE: the above changes system auth procedures; take precautions to
ensure that you don't leave the system inaccessible as a result. It
may actually not be necessary if you just want to use apache auth, but
it seemed to help in my case. YMMV.)
6. Change /etc/pam.d/apache2 to include "auth required
pam_winbind.so" and "account required pam_permit.so"
7. Set up apache to load the aforementioned modules (on my setup,
that's a2enmod followed by module name, I believe)
7. Add the BasicAuth and Require valid-user directives as suggested by
svn book to site conf for apache
8. Restart apache2 (I had trouble with this one.../etc/init.d/apache2
reload kept borking and leaving apache in a non-working state, so I
ended up doing a 'start' and 'shutdown' repeatedly. Your mileage may
9. Verify that you can login to apache2.
10. Verify that you can establish a regular connection to the box,
particularly if you did edit common-auth and common-account in (5).

1. 5 and 5a are probably unnecessary
2. I still can't get secondary groups to pick up (i.e. if joe's primary
group is "Domain Users" but he is also a member of "Evil Programmers",
requiring group membership in "Evil Programmers" for access via Apache
denies joe access). As I only have two developer accounts to worry
about at the moment, I said screw it and used require-user. I'd rather
use require-gorup, so if anyone has that working with AD and winbind,
I'd be happy to hear how.

Kevin Broderick, Bolton Valley IT Department
kbroderick@boltonvalley.com / 802.434.6807 (V) / 802.329.6807 (F)

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Feb 24 18:49:12 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.