[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Securing Subversion with a single-sign-on solution

From: James CE Johnson <jcej_at_tragus.org>
Date: Tue, 6 May 2008 08:57:28 -0400 (EDT)

Hi Lakshman,

Sure, I wrote it up here
During the course of conversation on this list, some holes were discovered
in the solution so I posted a follow-up on the 24th. That thread is here
and the follow-up is here

The solution is actually an integration with LDAP but our AD is available
via LDAP so, effectively, our repository is secured via AD.

> Hi James,
> Would you have the steps required to secure Subversion with Active
> Directory.
> If possible could you share it, pleeeeeeeeeease :)
> Thanks
> Lakshman
> -----Original Message-----
> From: James CE Johnson [mailto:jcej_at_tragus.org]
> Sent: Tuesday, 6 May 2008 1:41 AM
> To: users_at_subversion.tigris.org
> Subject: Securing Subversion with a single-sign-on solution
> A while back I figured out how to secure our Subversion repository
> against our Active Directory instance using mod_auth_ldap. That's
> working quite well and lets us avoid maintaining users and groups in two
> places. (Thanks to all who identified some gaping holes in my solution
> and inspired/helped me to get them plugged!)
> However, we still have to maintain a pile of Apache configuration files
> with <Location/> tags and as our user base grows that is going to become
> unmanageable. What would be ideal is a mechanism for delegating
> responsibility for some paths to an admin in the group using that path.
> (I should stop here and point out that we have a single enterprise
> repository rather than a repository-per-project. We thought about this
> carefully and determined that for our use-cases it was more appropriate
> to take this route.)
> We happen to be using Sun's Access Manager (also available as OpenSSO)
> which has a good delegation model and would work perfectly for what we
> want to do. There is an Apache module that intercepts the access request
> and redirects (via 302) the user to an SSO login page. Once
> authenticated, the module then verifies authorization and redirects the
> user back to the original page.
> Unfortunately, the subversion client does not support the 302
> redirection that is at the heart of the implementation. (I've also used
> CAS in the past which is another fantastic SSO solution and it behaves
> essentially the same way.)
> So, has anybody tried to secure Subversion with an SSO solution that
> utilizes 302 redirects? If this is a fruitless effort I can create a
> custom Apache module that uses AM's client SDK but I would rather use an
> out-of-the-box solution if possible.
> Thanks in advance for your thoughts,
> James

To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-05-06 14:48:08 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.