[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve authenticating against Windows domain credentials

From: Mark Phippard <markphip_at_gmail.com>
Date: Fri, 2 May 2008 11:03:53 -0400

On Fri, May 2, 2008 at 10:37 AM, <kmradke_at_rockwellcollins.com> wrote:
>
> "Mark Phippard" <markphip_at_gmail.com> wrote on 05/02/2008 09:09:41 AM:
> > On Fri, May 2, 2008 at 10:04 AM, Scott Palmer <Scott_at_digital-rapids.com>
> wrote:
> > > Where do the docs state that LDAP and Kerberos aren't supported on
> > > Windows?
> >
> > http://www.sendmail.org/~ca/email/cyrus2/windows.html
>
> Ok, I've already made one bad assumption/misread in this thread, so why
> stop there...
>
> How about this: http://wiki.mozilla.org/LDAP_C_SDK_SASL_Windows

Unfortunately that is an LDAP client that has instructions for
building in SASL so that you can use it to authenticate with the
server. In other words, it is just something using SASL, it is not
implementing an LDAP authorization provider.

> Can GNU SASL be used instead? : http://www.gnu.org/software/gsasl/
> Win32 pre-built:
> http://sourceforge.net/project/showfiles.php?group_id=145682&package_id=211655

It cannot be used as-is. Subversion would have to be configured to
use the function names and header files that it provides. SASL is a
protocol specification, not a library specification. So Subversion is
written against a specific SASL implementation -- Cyrus SASL.

From what I can tell, GNU SASL does not come with any authorization
providers anyway. Cyrus SASL comes with two things:

1) An implementation of SASL authentication mechanisms. This is the
only part that is technically the "SASL" part of the protocol. And
this is all that GNU SASL provides.

2) Some applications that use these authentication mechanisms and
connect them with a way to validate. For example, SASLDB is an
application that stores credentials in a database and can look them up
etc. This is outside the scope of the SASL specification and is a
convenience offering.

I would imagine there are things like this that exist for GNU SASL,
they just are not distributed with the project and would have to be
found.

> I'm fairly ignorant on SASL, but it does seem quite ironic that
> it is harder to authenticate against windows on windows than it is
> on authenticate against windows on unix...

I think a problem is that SASL might have been "over sold" to us a
solution. SASL itself only seems to cover the way an application
client and server can exchange credentials with each other. What that
can then authenticate against is then up to the SASL implementation.
From an "out of the box" perspective it seems to be lacking pre-built
components, especially for Windows.

-- 
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-05-02 17:04:12 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.