[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: What are the benefits of using LDAP to authenticate users to SVN

From: Shirish Jain <lists_at_getafix.net>
Date: 2007-06-14 15:10:22 CEST

nikhil gupta said the following on 6/14/2007 10:44 PM:
> Hi Andy,
>
> Thanks for the reply...
>
> But the benefits that you mentioned can also be achieved using the
> SSPI authentication, AFAIK. Are there any additional benefits that
> LDAP provides over SSPI?
>
> Which one would be better to use in terms of security?
>
> --Nikhil
>

LDAP Auth is a special method of (Basic?) authentication, where a
central repository (AD/ Directory server) is queried using LDAP
protocol, username & passwords still travels to the server (clear text
or SSL/TLS). SSPI Microsoft's authentication mechanism,
SSPI(SPNego/GSSAPI) is where password never travels on the wire. Of
course SSPI (SPNego/GSSAPI) is way more secure as you cannot
sniff/compromise user credentials even if using HTTP (clear text)
transport. Inherent design of Kerberos also helps mitigate replay
attacks. Please note SSPI(SPNego/GSSAPI) still can use AD as central
repository. SVN stores user credentials in clear text on some non-win32
platforms excluding when using SSPI/GSSAPI authentication. This is a
security risk unless encrypted file systems are in place.

In case of SSPI(SPNego/GSSAPI), its for all users, if you want to limit
access to the server (not mod_svn_authz) by "group membership" also
managed in LDAP, u need to use SSPI(SPNego/GSSAPI) for Authentication &
LDAP for Access Control, not a trivial setup/for faint hearted.

For more details, please search for Kerberos, RFC for GSSAPI
implementation. You may also refer to "Access Control & Session
Management in http environment", Gutzman, K. 26-35, IEEE Internet
Computing Jan-Feb 2001.

...SJ

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jun 14 15:11:00 2007

This is an archived mail posted to the Subversion Users mailing list.