> On Fri, Mar 09, 2007 at 02:16:51PM -0700, Wesley J. Landaker wrote:
>> On Friday 09 March 2007 12:53, Michael Richters wrote:
>> > When using apache with mod_auth_kerb, $REMOTE_USER contains the whole
>> > kerberos principal name, including "@REALM". This makes it difficult
>> > to maintain a repository that uses both mod_auth_kerb and some other
>> > method of access. Is there any way to configure subversion so that
>> > the realm is stripped from the username?
>>
There is a logical reason to keep it that way. user@REALM1.FQDN !=
user@REALM2.FQDN
Its part of the bigger Kerberos picture.
>> I ran across this problem in one installation and ended up concluding
>> that
>> to get it to work I'd have to either hack the mod_auth_kerb source, which
>> would be easy but a pain to track on upgrades, etc, or use
>> principal@REALM
>> for usernames in SVN, which would be unacceptable.
we integrate SVN Auth with Active Directory using HTTP+Mod_auth_kerb. Map
users via their User principle names in AD. We had to teach few people how
to find UPN from AD using ADTools or LDAP Explorer. it was the only way as
we have multiple AD domains/Realms. Now its part of the process. YMMV.
>> So instead, I just used mod_auth_pam at let the Linux PAM system handle
>> the
>> kerberos authentication transparently instead.
>
> Does mod_auth_pam do SPNEGO authentication, allowing the users to use
> their kerberos tickets to authenticate without the use of passwords?
No. Mod_auth_pam allows for 'basic' authentication.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Mar 10 00:15:18 2007