[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Accessing SVN repository via Apache and SSL client certificate? Almost there, but something is missing.

From: Ralph Seichter <subversion-ml_at_sentries.org>
Date: 2005-05-13 16:27:11 CEST

I'm still juggling SSL client certificates, SVN and Apache around.
Currently, I use the following in my Apache configuration:

  <VirtualHost _default_:443>
      [...]

      SSLVerifyDepth 1
      SSLVerifyClient optional
      SSLOptions +FakeBasicAuth
      <Location /svn>
          SSLVerifyClient require
          SSLRequire %{SSL_CLIENT_I_DN_O} eq "Foobar Inc."
          SSLOptions +StrictRequire

          DAV svn
          SVNParentPath /var/svn/repositories
          AuthzSVNAccessFile /var/svn/svn-access

          AuthType Basic
          AuthName "Foobar Inc. repository tree"
          AuthUserFile /var/svn/apache-users
          Require valid-user
          Satisfy any
      </Location>
  </VirtualHost>

First the good news: With "SSLVerifyClient optional" in the virtual
host section and "SSLVerifyClient require" in the location section,
SVN no longer chokes when prompted for a SSL certificate, while web
browser based clients can access other parts of the server without
certificates. A big thank you goes to Joe Orton of the Neon ML for
telling me to try this workaround!

The trouble is that selectively granting read/write access to the
repository is giving me gyp. /var/svn/apache-users includes the
following lines:

  /CN=Johnny Walker/emailAddress=john@domain.tld:(pw-hash)
  /CN=jim.beam/emailAddress=jim@otherdomain.tld:(pw-hash)

As usual with "SSLOptions +FakeBasicAuth", the hashed password is
"password". The file /var/svn/svn-access looks like this (without
any line breaks in the "admin" line):

  [groups]
  admin = mary, /CN=jim.beam/emailAddress=jim@otherdomain.tld,
          /CN=Johnny Walker/emailAddress=john@domain.tld
  [foobar:/]
  @admin = rw

When I try "svn co https://server.tld/svn/foobar/" as either Jim
Beam or Johnny Walker, the client reports:

  svn: REPORT request failed on '/svn/foobar/!svn/vcc/default'
  svn: Not authorized to open root of edit operation.

The server side error messages are:

  A failure occurred while driving the update report editor
  [500, #220000]
  Not authorized to open root of edit operation. [500, #220000]

When I replace "@admin = rw" with "* = rw", everything works fine,
but obviously I don't want to grant write permissions to every
person accessing the foobar repository. Any ideas? Am I using the
correct syntax in /var/svn/svn-access? I tried wrapping the user
names in '' and "" pairs, but this did not seem to have any effect.

-- 
Mit freundlichen GrŘ▀en / Sincerely
Dipl. Inform. Ralph Seichter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri May 13 17:18:14 2005

This is an archived mail posted to the Subversion Users mailing list.