Mark Reibert wrote:
>>> Indeed - I am interested in authentication against an ADS from the Linux
>>> Apache/SVN server.
>> It sounds like integration with ADS authentication is an externally
>> forced requirement, but I just had to ask, do you really have to use
>> ADS? I'm using an LDAP2/Samba3 on a SuSE Enterprise Linux server to
>
> The last time I needed to set this up I was working for a 80,000 person
> company. The corporate infrastructure was Windows ... period. I was able
> to get a couple of things done "out of band", like putting a Linux SVN
> server on the network, but effecting any change to the Windows network
> required an act of God (or whatever supernatural being tickles your
> fancy).
I've set up apache with simple SMB authentication against a windows
domain controller without any changes on the windows side. Using a RH
or Centos server you can use 'authconfig' to configure SMB
authentication and set up the server and domain - and also allow local
authentication. SMB doesn't provide any account information, so for
users that actually need to log in via ssh, etc., you still have to run
adduser to create the account and home dir but you don't need to
maintain a separate password. Http(s) access doesn't really need any
account info, though, so you can install mod_auth_pam, let it use the
system setup for auth, and pam_permit_so for the account info (so if the
password check matches, anyone is permitted). The end result is that
anyone in the windows domain can use the web interface (with additional
restrictions possible in the web app), people with local accounts can
have full access, and you don't need to keep separate passwords.
However, I'm not sure if all AD setups still respond to SMB auth
requests, and RHEL5/Centos5 have added a check for uids in the auth
phase of the system pam setup that needs to be removed if you want
people without local linux accounts to have web access, and mod_auth_pam
has to be compiled and installed locally.
--
Les Mikesell
lesmikesell@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Sep 13 15:17:13 2007