[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: (Again on) Apache Authentication

From: Les Mikesell <lesmikesell_at_gmail.com>
Date: Wed, 19 Mar 2008 12:07:43 -0500

Giulio Troccoli wrote:
> I would like either for them to use their account password with
> Subversion (they know already how to use passwd) or a nice friendly way
> for them to change the Subversion passwords.
> I have search through the archive and I did find lots of articles that
> suggest basically two ways: using PAM and using a CGI script. This seems
> exactly what I am looking for. Correct me if I'm wrong but I don't think
> I can use LDAP or AD because I don't use Windows exclusively.
> I don't know Apache that well, just the basic to get it running and to
> configure Subversion, so I'm not very confident I could set up PAM
> correctly. Also, I don't think I could have the option to select which
> user has access to which repository (I can always change the pre-commit
> hook I know, but that would prevent unauthorized commit only, not
> checkouts).

PAM should work with ssh+svn with any combination of PAM modules that
work for ssh/system logins. For apache, mod_auth_pam does not seem to
be supported but it still works, at least with Centos 5.x if you have
the httpd-devel package and build the module yourself from source (a
simple 'make install'. I'm using it for several web services to
authenticate against both the local host's passwd file and a windows
domain via SMB. I require a local login to be created for other
services like ssh although the windows password can still be used. For
strictly http access, no account info is needed, so an entry like this:
auth required pam_stack.so service=system-auth
account required pam_permit.so
in /etc/pam.d/httpd will just check for a login/password match and
anyone in the windows domain can log in.

> The CGI script seems a very good idea, especially because I have already
> set up ViewVC and I remember it was easy-peasy. However, the links I
> found seem to be not available anymore (the email are about 3 years
> old).
> As you can see I am a bit stuck. I know this is not strictly a
> Subversion issue, but I know that many others had the same problem and I
> am sure they have sorted it out somehow.

It is a subversion issue when everything except svnserve on the popular
unix-like OS's uses PAM for authentication.

> So what I'm really looking for
> is some guidance and expertise.

It seems slighly risky to use mod_auth_pam since it isn't included in
the distros, but it works and permits the same set of authentication
methods to be checked as your other system programs use without having
to duplicate all the setup.

   Les Mikesell
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-19 18:04:44 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.