Hi Lakshman,
Sure, I wrote it up here
http://pteropus.blogspot.com/2008/04/securing-subversion-via-ldap.html.
During the course of conversation on this list, some holes were discovered
in the solution so I posted a follow-up on the 24th. That thread is here
http://subversion.tigris.org/servlets/BrowseList?list=users&by=thread&from=648726
and the follow-up is here
http://pteropus.blogspot.com/2008/04/securing-subversion-via-ldap-followup.html
The solution is actually an integration with LDAP but our AD is available
via LDAP so, effectively, our repository is secured via AD.
> Hi James,
>
> Would you have the steps required to secure Subversion with Active
> Directory.
> If possible could you share it, pleeeeeeeeeease :)
>
> Thanks
> Lakshman
> -----Original Message-----
> From: James CE Johnson [mailto:jcej_at_tragus.org]
> Sent: Tuesday, 6 May 2008 1:41 AM
> To: users_at_subversion.tigris.org
> Subject: Securing Subversion with a single-sign-on solution
>
> A while back I figured out how to secure our Subversion repository
> against our Active Directory instance using mod_auth_ldap. That's
> working quite well and lets us avoid maintaining users and groups in two
> places. (Thanks to all who identified some gaping holes in my solution
> and inspired/helped me to get them plugged!)
>
> However, we still have to maintain a pile of Apache configuration files
> with <Location/> tags and as our user base grows that is going to become
> unmanageable. What would be ideal is a mechanism for delegating
> responsibility for some paths to an admin in the group using that path.
>
> (I should stop here and point out that we have a single enterprise
> repository rather than a repository-per-project. We thought about this
> carefully and determined that for our use-cases it was more appropriate
> to take this route.)
>
> We happen to be using Sun's Access Manager (also available as OpenSSO)
> which has a good delegation model and would work perfectly for what we
> want to do. There is an Apache module that intercepts the access request
> and redirects (via 302) the user to an SSO login page. Once
> authenticated, the module then verifies authorization and redirects the
> user back to the original page.
>
> Unfortunately, the subversion client does not support the 302
> redirection that is at the heart of the implementation. (I've also used
> CAS in the past which is another fantastic SSO solution and it behaves
> essentially the same way.)
>
> So, has anybody tried to secure Subversion with an SSO solution that
> utilizes 302 redirects? If this is a fruitless effort I can create a
> custom Apache module that uses AM's client SDK but I would rather use an
> out-of-the-box solution if possible.
>
> Thanks in advance for your thoughts,
> James
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-05-06 14:48:08 CEST