[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: mod_auth_kerb and usernames

From: Michael Richters <michael.richters_at_gmail.com>
Date: 2007-03-10 00:36:36 CET

On Sat, Mar 10, 2007 at 10:14:50AM +1100, Samay wrote:
> >On Fri, Mar 09, 2007 at 02:16:51PM -0700, Wesley J. Landaker wrote:
> >>On Friday 09 March 2007 12:53, Michael Richters wrote:
> >>> When using apache with mod_auth_kerb, $REMOTE_USER contains the whole
> >>> kerberos principal name, including "@REALM". This makes it difficult
> >>> to maintain a repository that uses both mod_auth_kerb and some other
> >>> method of access. Is there any way to configure subversion so that
> >>> the realm is stripped from the username?
> >>
> There is a logical reason to keep it that way. user@REALM1.FQDN !=
> user@REALM2.FQDN
> Its part of the bigger Kerberos picture.

I know that. But my subversion repository only allows access from one
kerberos realm, so I don't care about that, and there are other ways
for users to access the repository (svn+ssh://). This means that each
user shows up with two different "usernames", making logs very messy.

> >>I ran across this problem in one installation and ended up concluding
> >>that
> >>to get it to work I'd have to either hack the mod_auth_kerb source, which
> >>would be easy but a pain to track on upgrades, etc, or use
> >>principal@REALM
> >>for usernames in SVN, which would be unacceptable.
> we integrate SVN Auth with Active Directory using HTTP+Mod_auth_kerb. Map
> users via their User principle names in AD. We had to teach few people how
> to find UPN from AD using ADTools or LDAP Explorer. it was the only way as
> we have multiple AD domains/Realms. Now its part of the process. YMMV.

That's nice, but not relevant to my needs.

> >>So instead, I just used mod_auth_pam at let the Linux PAM system handle
> >>the
> >>kerberos authentication transparently instead.
> >
> >Does mod_auth_pam do SPNEGO authentication, allowing the users to use
> >their kerberos tickets to authenticate without the use of passwords?
> No. Mod_auth_pam allows for 'basic' authentication.

I didn't think so. That was mostly a rhetorical question.


To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Mar 10 03:04:03 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.