[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: howto configure modauthkerb authorization for subversion?

From: Tony Butt <tony.butt_at_cea.com.au>
Date: 2005-11-27 23:25:51 CET

Put the kerberos configuration directives (AuthType, AuthName,
Krb5AuthRealms, etc) inside the <Location> ... </Location> block.

We have 1 serious problem with Kerberos authentication - when using
mod_auth_krb, we found that it performed 4 or more DNS lookups for
kerberos principals for each access check, and when using
AuthZSVNAccessFile access control to the repository, it re-authenticated
FOR EACH FILE as it check the access control. We improved things
slightly by configuring krb5.conf with IP numbers instead of names, so
that only 1 DNS lookup is performed per file, but there still seems to
be a lot of authentication traffic to our kerberos server. It seems that
mod_auth_krb is not caching the authentication, but checking for each file!

The end result on performance is quite large - svn log "http path to
project" took ~60 seconds on a LAN, svn log "svn+ssh path to project"
took ~ 3 seconds.

Tony Butt
CEA Technologies

Anders Lennartsson wrote:
> I have modauthkerb working nicely with a kerberos 5 realm and a config like this
>
> <Directory>
> AuthType Kerberos
> AuthName ...
> ...
> </Directory>
>
> How do I configure modauthkerb to be used for svn repositories, which
> are specified with a <Location> directive like
> <Location /svn>
> DAV svn
> SVNParentPath /var/lib/svn
> ...
> </Location>
>
> With svn 1.2.3 on Debian/Sarge I only aim for basic authentication
> over ssl/tls at this stage.
>
> Anders
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Received on Sun Nov 27 23:28:43 2005

This is an archived mail posted to the Subversion Users mailing list.