[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Re: (Again on) Apache Authentication

From: Giulio Troccoli <Giulio.Troccoli_at_uk.linedata.com>
Date: Wed, 19 Mar 2008 15:28:31 -0000

Richard

 

Thanks for your input. However, I didn't suggest I would like to use
LDAP. I actually thought it was only for Windows (but I was wrong).

 

My problem with LDAP is that it feels a bit too much for what I want.
I'd like a very simple to install solution, that's why I still think a
CGI script would be the best solution. I do want to keep my htpasswd
setup if I can, and I did find one called user_manage or maybe
manage_user. It was bit old and although the help page is still there
the zip file is not.

 

Giulio

 

________________________________

From: richard hornsby [mailto:richardjhornsby_at_gmail.com]
Sent: 19 March 2008 15:10
To: users_at_subversion.tigris.org
Subject: Re: (Again on) Apache Authentication

 

==Argh, sorry, didn't pay attention to gmail's reply-to-all==

This may be something specific that would be helpful to you, since you
seem to indicate that if possible you'd like to use LDAP/AD:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

You can use LDAP/AD if you wish - because the communication happens
between the SVN server and the LDAP/AD server. Limiting the discussion
for the moment to http basic auth, the svn client isn't really relevant
- the credentials are handed from the svn client to the svn server
(apache in this case) which then goes and talks to whatever auth method
you choose. The client has no idea and doesn't care how you implement
your authentication once it is handed off via basic auth.

[ svn client ] ===> [ http basic auth ] ===> [ apache ] ===> [ auth
method (ldap,mysql,pam,linux,windows,solaris,etc) ]

The svn client, apache, and authentication servers could be three
different machines running on three different platforms. :)

I'm using mod_authnz_external (http://unixpapa.com/mod_authnz_external/)
to call a perl script which tries to log into our IMAP server.
Incidentally, if that fails, it checks a mySQL database (for trac/svn
accounts which might not be internal users.) Simply, on authentication
failure, the script has a non-zero exit code.

If you're not using LDAP/AD and don't want to use mod_authnz_external
(admittedly I'm using it to implement a bit of a hack), someone a couple
of days ago suggested mod_auth_mysql. You could let them change their
passwords by setting up a simple php/asp script to ask for username,
existing password, and new password.

The beauty of all of these solutions is that they are basically
transparent to your svn users.

Alternatively, and this could be dangerous so I'm not sure I'd recommend
it in general, but if you decide you want to keep your htpasswd setup,
you could write a php/cgi script that calls the htpasswd command. You
could even put it behind a .htaccess file that uses the passwd file to
authenticate - then all you really need to ask for in the form is the
new password, because the username is already stored in HTTP_AUTH_USER
(iirc, been a while) --- maybe?

HTH,
-rj

 

On Wed, Mar 19, 2008 at 8:45 AM, Giulio Troccoli
<Giulio.Troccoli_at_uk.linedata.com> wrote:

Hello everybody,

To cut to the gist I am looking for a way for my SVN users to be able to
change their own SVN passwords.

Some background information first.

Subversion 1.4.4 is installed on a Linux 2.6 kernel box. My developers
work on Windows, AIX or Solaris using http. The Subversion server is not
visible outside of our network (so simple http is fine). I have several
repositories and for each of them I have set up a htpasswd-style file
because I have to keep control of which user has access to which
repository. As part of our development process they all have an account
on the Subversion server too.

Everything works fine, they can checkout, commit, do everything they
need to. But their SVN password is always the same (it's actually the
same password for everybody as, honestly, I couldn't be bothered to give
them different passwords).

I would like either for them to use their account password with
Subversion (they know already how to use passwd) or a nice friendly way
for them to change the Subversion passwords.

I have search through the archive and I did find lots of articles that
suggest basically two ways: using PAM and using a CGI script. This seems
exactly what I am looking for. Correct me if I'm wrong but I don't think
I can use LDAP or AD because I don't use Windows exclusively.

I don't know Apache that well, just the basic to get it running and to
configure Subversion, so I'm not very confident I could set up PAM
correctly. Also, I don't think I could have the option to select which
user has access to which repository (I can always change the pre-commit
hook I know, but that would prevent unauthorized commit only, not
checkouts).

The CGI script seems a very good idea, especially because I have already
set up ViewVC and I remember it was easy-peasy. However, the links I
found seem to be not available anymore (the email are about 3 years
old).

As you can see I am a bit stuck. I know this is not strictly a
Subversion issue, but I know that many others had the same problem and I
am sure they have sorted it out somehow. So what I'm really looking for
is some guidance and expertise.

Thanks in advance
Giulio Troccoli

Linedata Services (UK) Ltd
Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1
6DB
Registered in England and Wales No 3027851 VAT Reg No 778499447

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org

 

 
Received on 2008-03-19 16:28:59 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.