SVN server running Windows Server 2003 SP1, Apache 2.0.52, SVN 1.1.4.
Authentication/Authorization via mod_auth_sspi (authenticate with
valid domain login) and mod_authz_svn (authorize access to
repositories).
Because mod_authz_svn has no option for case-insensitive account name
checks, I have users accounts listed multiple ways in the
AuthzSVNAccessFile.
I have combinations of domain\userids listed with domain name in all
caps and all lower case, and userids with camel-casing and all lower
case. It's a pain, but it works. Actually its a good thing that I've
got several entries for each user because:
Occasionally my users get access denied errors when trying to commit
changes. I have repositories r/o for all and r/w for selected
developers. Whatever the low-level userid/password caching/passing
mechanism is seems to randomly fail. Our workaround is to provide an
alternate domain\userid combination which appears to SVN to be an
entirely different user name. If you try to use the same
domain\userid capitalization combination that was in use when the
error occurred, it won't work. My users basically rotate between
DOMAIN\userid and domain\userid. Since just switching to an alternate
account that is in the AuthzSVNAccessFile, it seems to be an SVN, not
Apache, issue. The Apache logs show valid domain\userid combinations
being used when access is denied.
My developers have been easy to migrate to SVN and things have been
going well over the last 5 months we've been using it and migrating
projects out of 2 other CM systems, but this authorization hiccup is
making everyone think twice about our shift to SVN. I've got plenty
of server horsepower so that the performance under Windows isn't an
issue.
Anybody else seen this mod_authz_svn authorization problem? My users
encounter this failure using TortoiseSVN under Windows 2000 and
Windows XP as well as eSVN/RH9. There are no changes to
AuthzSVNAccessFile being made when this problem occurs.
Thanks,
-Mike Kelley
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jun 15 16:22:55 2005