[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Authentication With Samba

From: Frank Gruman <fgatwork_at_verizon.net>
Date: 2005-06-13 22:24:20 CEST

Normal LDAP. You can build the mod_auth_ldap module right into Apache
(I prefer the DSO), and then just pipe in your ADS LDAP server address
since ADS is already an LDAP server. The only issue I have with it is
that I have to bind before it will do the apache authentication. I
really wish I didn't have to do that.

To build with apache 2.0.54 (make sure you have ldap developer files
loaded) -
  ./configure --enable-mods-shared=all --enable-ldap --with-ldap
--enable-auth-ldap

Instructions on the directives for mod_auth_ldap are found here -
http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html

If there was a way to set up replication (I am thinking it would make
for faster authentication) without asking the MIS staff to change
anything on the ADS side, I'd do it. There might be, but I haven't
found it yet.

Regards,
Frank

Brad wrote:

> Are you talking about authenticating with a normal LDAP schema or the
> ADS LDAP replication? If its the ADS LDAP replication, do you have any
> links or howtos?
>
> I would rather start using the LDAP replication from ADS so that
> winbind doesnt have to be installed on all the machines. I
>
> Thanks,
> Brad
>
> On Mon, 2005-06-13 at 12:42 -0400, Frank Gruman wrote:
>
>> I'd have to say that yes, it is very possible, and it was relatively
>> easy, but my authentication times are very slow (10-20 seconds).
>> I've run ethereal scans, and it seems that there are Kerberos issues
>> floating back and forth on the first and secod handshakes. But then
>> they work out. Strange, but it happened...
>>
>> Anyway - that was when I did Apache+Samba + Winbind. Have now got
>> Apache + LDAP running, and that rocks!
>>
>> So - make sure you get EVERYTHING right before you move into
>> production. I had a couple of very unhappy developers (read ->
>> whiney) who didn't like to wait that long for authentication. They
>> started to revolt and claim they'd rather work on VSS.
>>
>> Regards,
>> Frank
>>
>> Brad wrote:
>>
>>> Tryst,
>>> Yes and its far easier than it sounds. The only issue I have is
>>> that users have to enter in the fully qualified domain user name
>>> such as "DOMAIN\USER". That depends on your domain scoping though.
>>> But it works fine other than that. I have the authentication hooked
>>> up through PAM. Apache can authenticate with PAM through mod_auth_pam.
>>>
>>> Get your system authenticating first:
>>> http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain
>>>
>>> And then use mod_auth_pam to get apache authenticating. Basically,
>>> just don't specify a password file.
>>>
>>>
>>> Brad
>>>
>>>
>>> On Mon, 2005-06-13 at 14:38 +0100, Hughes, Trystan wrote:
>>>
>>>>Hi all,
>>>>
>>>>I am about to roll out Subversion across my company and have just realised that the company users use SAMBA (http://us1.samba.org/samba/) for its login/authentication process.
>>>>
>>>>This isn;t exactly Windows domain authentication, so was wondering if I would be able to let Subversion use Apache to pickup the users SAMBA login credentials so that they can automatically login (like Windows Domain Authentication works).
>>>>
>>>>Is this at all possible?
>>>>
>>>>Thanks
>>>>
>>>>Tryst
>>>>
>>>>The views expressed in this e-mail are not necessarily the views of AssetCo Group Limited,
>>>>its directors, officers or employees make no representation or accept any
>>>>liability for its accuracy or completeness unless expressly stated to the contrary.
>>>>This e-mail, and any attachments are strictly confidential and intended for the addressee(s) only.
>>>>The content may also contain legal, professional or other privileged information. Unless expressly
>>>>stated to the contrary, no contracts may be concluded on behalf of AssetCo Group Limited by means of
>>>>e-mail communication. You may report the matter by calling us on +44 (0)118 906 8000.
>>>>Please ensure you have adequate virus protection before you open or detach any documents from this
>>>>transmission. AssetCo Group Limited does not accept any liability for viruses. AssetCo Group Limited
>>>>is registered in England: Company number: 4450947
>>>>Registered Office: Davidson House, Forbury Square, Reading, Berkshire RG1 3GA
>>>>
>>>>
>>>>
Received on Mon Jun 13 22:27:14 2005

This is an archived mail posted to the Subversion Users mailing list.