On 7/17/06, Les Mikesell <lesmikesell@gmail.com> wrote:
> On Mon, 2006-07-17 at 09:53 +0000, gmu 2k6 wrote:
> > On 7/16/06, Les Mikesell <lesmikesell@gmail.com> wrote:
> > > On Sun, 2006-07-16 at 13:17, gmu 2k6 wrote:
> > >
> > > > as OpenSSH is already installed, I might give svn+ssh// with OpenSSH
> > > > doing PAM with Winbind to let the users use their Windows Passwords to
> > > > access the machine.
> > > > I better read about winbind and whether I have to join the domain etc. then.
> > >
> > > With winbind you shouldn't have to add the users locally but the
> > > machine does have to join the domain. An alternative is to use
> > > smb authentication with PAM. Then you do have to add the users
> > > (which gives you a place to control which ones can use the
> > > service and put them in groups) but you don't have to maintain
> > > a separate password.
> >
> > do you know any good guide for that? what's the name of the pam module
> > you mentioned?
>
> On RH/fedora systems you would run authconfig, pick smb as one of the
> authentication methods, and fill in the domain and controller name(s).
> If you do it by hand the module is pam_smb_auth.so and it needs the
> domain and PDC/BDC names in /etc/pam_smb.conf. For pure web services
> where you don't need a home directory or group info you can also
> use mod_pam_auth (not included with RH/fedora but you can build it)
> with a /etc/pamd.d/httpd file like:
>
> #%PAM-1.0
> auth required pam_stack.so service=system-auth
> account required pam_permit.so
>
> This will allow anyone with a domain account to log in to the web server
> as a valid-user without having a local Linux account. I'm not sure
> how/if that will mesh with mod_authz_svn if you want finer-grained
> access control. If you use a different 'account' line you can
> restrict logins to those with local accounts like the other services.
thanks, I was reading about pam_krb5, winbindd, etc. but not yet sure
how everything fits together. I know about RedHat and SuSE offering
configurators for that but it will work with Debian too, I'll just
have to read and learn, which is important anyway in case it breaks.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Jul 17 17:45:04 2006