[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: (Again on) Apache Authentication

From: richard hornsby <richardjhornsby_at_gmail.com>
Date: Wed, 19 Mar 2008 11:10:29 -0400

==Argh, sorry, didn't pay attention to gmail's reply-to-all==

This may be something specific that would be helpful to you, since you seem
to indicate that if possible you'd like to use LDAP/AD:


You can use LDAP/AD if you wish - because the communication happens between
the SVN server and the LDAP/AD server. Limiting the discussion for the
moment to http basic auth, the svn client isn't really relevant - the
credentials are handed from the svn client to the svn server (apache in this
case) which then goes and talks to whatever auth method you choose. The
client has no idea and doesn't care how you implement your authentication
once it is handed off via basic auth.

[ svn client ] ===> [ http basic auth ] ===> [ apache ] ===> [ auth method
(ldap,mysql,pam,linux,windows,solaris,etc) ]

The svn client, apache, and authentication servers could be three different
machines running on three different platforms. :)

I'm using mod_authnz_external (http://unixpapa.com/mod_authnz_external/) to
call a perl script which tries to log into our IMAP server. Incidentally,
if that fails, it checks a mySQL database (for trac/svn accounts which might
not be internal users.) Simply, on authentication failure, the script has a
non-zero exit code.

If you're not using LDAP/AD and don't want to use mod_authnz_external
(admittedly I'm using it to implement a bit of a hack), someone a couple of
days ago suggested mod_auth_mysql. You could let them change their
passwords by setting up a simple php/asp script to ask for username,
existing password, and new password.

The beauty of all of these solutions is that they are basically transparent
to your svn users.

Alternatively, and this could be dangerous so I'm not sure I'd recommend it
in general, but if you decide you want to keep your htpasswd setup, you
could write a php/cgi script that calls the htpasswd command. You could
even put it behind a .htaccess file that uses the passwd file to
authenticate - then all you really need to ask for in the form is the new
password, because the username is already stored in HTTP_AUTH_USER (iirc,
been a while) --- maybe?


On Wed, Mar 19, 2008 at 8:45 AM, Giulio Troccoli <
Giulio.Troccoli_at_uk.linedata.com> wrote:

> Hello everybody,
> To cut to the gist I am looking for a way for my SVN users to be able to
> change their own SVN passwords.
> Some background information first.
> Subversion 1.4.4 is installed on a Linux 2.6 kernel box. My developers
> work on Windows, AIX or Solaris using http. The Subversion server is not
> visible outside of our network (so simple http is fine). I have several
> repositories and for each of them I have set up a htpasswd-style file
> because I have to keep control of which user has access to which
> repository. As part of our development process they all have an account
> on the Subversion server too.
> Everything works fine, they can checkout, commit, do everything they
> need to. But their SVN password is always the same (it's actually the
> same password for everybody as, honestly, I couldn't be bothered to give
> them different passwords).
> I would like either for them to use their account password with
> Subversion (they know already how to use passwd) or a nice friendly way
> for them to change the Subversion passwords.
> I have search through the archive and I did find lots of articles that
> suggest basically two ways: using PAM and using a CGI script. This seems
> exactly what I am looking for. Correct me if I'm wrong but I don't think
> I can use LDAP or AD because I don't use Windows exclusively.
> I don't know Apache that well, just the basic to get it running and to
> configure Subversion, so I'm not very confident I could set up PAM
> correctly. Also, I don't think I could have the option to select which
> user has access to which repository (I can always change the pre-commit
> hook I know, but that would prevent unauthorized commit only, not
> checkouts).
> The CGI script seems a very good idea, especially because I have already
> set up ViewVC and I remember it was easy-peasy. However, the links I
> found seem to be not available anymore (the email are about 3 years
> old).
> As you can see I am a bit stuck. I know this is not strictly a
> Subversion issue, but I know that many others had the same problem and I
> am sure they have sorted it out somehow. So what I'm really looking for
> is some guidance and expertise.
> Thanks in advance
> Giulio Troccoli
> Linedata Services (UK) Ltd
> Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
> Registered in England and Wales No 3027851 VAT Reg No 778499447
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
> For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-19 16:11:00 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.