[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: AD authentication for SVN

From: Florian Seydoux <florianseydoux_at_gmail.com>
Date: Wed, 09 Jul 2008 11:28:40 +0200

sanjeev.kumarroy_at_wipro.com wrote:
> [...]
> Now I want to setup the user level Authentication using Microsoft AD.
> Can someone please guide me as to how I can set up the subversion for AD
> authentication?
> --------------------
> [...]
> I have to setup a windows 2003 server for authenticating the svn now.
NOTE that
> my SVN is currently running on a rhel machine.
> Can you please let me know how I can configure the apache to set the svn
> for authentication via the Microsoft AD?
>
<snip>

Well,
there are multiple way for such authorization.
For people hosting the apache server on windows (not your case
apparently), they can
use the sspi package (mod_auth_sspi), eg:

<Location /svn/>
        DAV svn
        SVNParentPath "C:/SVN/repositories/"
        SVNListParentPath on
        SVNIndexXSLT "/svnindex.xsl"
        SVNAutoversioning on
        # ### --- windows authentification
        AuthName "Subversion Server"
        AuthType SSPI
        SSPIAuth On
        SSPIAuthoritative On
        SSPIDomain <your-domain>
        # # some tricks
        SSPIUsernameCase lower
        SSPIOfferBasic On
        SSPIOmitDomain On
        # ### -----------------------------
        Satisfy Any
        Require valid-user
        AuthzSVNAccessFile "C:/SVN/accesscontrol"
</Location>

But this module is not available for *nix; so in your case, you should
be able to
use the kerberos module (in this case, you need the help of the admin of
the AD),
as well as some googeling (look at
    http://support.microsoft.com/?scid=kb%3Ben-us%3B555092&x=12&y=19
)

On my side (apache on linux server, auth. from a windows AD), I just use
the LDAP auth,
and the (apache) AuthnProviderAlias, to be more flexible (eg. to mix
authentication
through the AD server and using local user-password file).

I can give you a small example (but there is plenty of documentation
that google can gives you):

first, you have to find the 'distinguishedName' of the user how will do
the request.
assuming that the user 'guest' (password='guestpass') will do that, and
will have a dist.name like
    'CN=guest,OU=Users,OU=MyComp,DC=server,DC=net',
on the server (machine 'mycomp-dc.net'),

you just have to configure the apache server like that:

<AuthnProviderAlias ldap ldap-dc>
   AuthLDAPBindDN "CN=guest,OU=Users,OU=MyComp,DC=server,DC=net"
   AuthLDAPBindPassword guestpass
   AuthLDAPURL
ldap://mycomp-dc1:389/OU=Users,OU=MyComp,DC=server,DC=net?sAMAccountName?sub?(objectClass=user)
</AuthnProviderAlias>

and use this alias in a normal SVN location:

<Location /svn/projectXYZ>
        DAV svn
        SVNPath ...
        SVNAutoversioning on
        SVNIndexXSLT "/layout/svnindex.xsl"
        AuthzSVNAccessFile ...
        AuthName "MyComp project xyz svn"
        AuthType Basic
        AuthBasicAuthoritative off
        AuthzLDAPAuthoritative off
        AuthBasicProvider ldap-dc
        Satisfy Any
        <LimitExcept GET PROPFIND OPTIONS REPORT>
                Require valid-user
        </LimitExcept>
</Location>

regards,

florian

PS: you can use some tools like 'LDAP Browser' (windows) to scan the
structure of the
      ldap 'AD'.

-- 
--------------------------------------------------------------------
Seydoux Florian
http://www.spinx-technologies.com
--------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-07-09 11:29:24 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.