On Sat, Mar 10, 2007 at 10:14:50AM +1100, Samay wrote:
> >On Fri, Mar 09, 2007 at 02:16:51PM -0700, Wesley J. Landaker wrote:
> >>On Friday 09 March 2007 12:53, Michael Richters wrote:
> >>> When using apache with mod_auth_kerb, $REMOTE_USER contains the whole
> >>> kerberos principal name, including "@REALM". This makes it difficult
> >>> to maintain a repository that uses both mod_auth_kerb and some other
> >>> method of access. Is there any way to configure subversion so that
> >>> the realm is stripped from the username?
> >>
>
> There is a logical reason to keep it that way. user@REALM1.FQDN !=
> user@REALM2.FQDN
>
> Its part of the bigger Kerberos picture.
I know that. But my subversion repository only allows access from one
kerberos realm, so I don't care about that, and there are other ways
for users to access the repository (svn+ssh://). This means that each
user shows up with two different "usernames", making logs very messy.
> >>I ran across this problem in one installation and ended up concluding
> >>that
> >>to get it to work I'd have to either hack the mod_auth_kerb source, which
> >>would be easy but a pain to track on upgrades, etc, or use
> >>principal@REALM
> >>for usernames in SVN, which would be unacceptable.
>
> we integrate SVN Auth with Active Directory using HTTP+Mod_auth_kerb. Map
> users via their User principle names in AD. We had to teach few people how
> to find UPN from AD using ADTools or LDAP Explorer. it was the only way as
> we have multiple AD domains/Realms. Now its part of the process. YMMV.
That's nice, but not relevant to my needs.
> >>So instead, I just used mod_auth_pam at let the Linux PAM system handle
> >>the
> >>kerberos authentication transparently instead.
> >
> >Does mod_auth_pam do SPNEGO authentication, allowing the users to use
> >their kerberos tickets to authenticate without the use of passwords?
>
> No. Mod_auth_pam allows for 'basic' authentication.
I didn't think so. That was mostly a rhetorical question.
--Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Mar 10 03:04:03 2007