[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: AD authentication for SVN

From: Yves Dorfsman <yves_at_zioup.com>
Date: Wed, 30 Jul 2008 07:11:28 -0600

sanjeev.kumarroy_at_wipro.com wrote:
> Hi Matthias,
> I have the SVN setup in a linux machine and I need to get the
> authentication done from a Windows AD. I am not sure if VisualSVN works
> in Linux. Does it?

visualsvn won't work on a UNIX server.

In theory, there are two ways to get svn on a UNIX box authenticate against
AD. I say in theory, because I haven't managed to get either working yet:

1) svnserve
svnserve uses SASL, and can use any method SASL uses. In theory SASL can use
kerberos, but I have not managed to get it working against AD yet. There is
no point trying to get svnserve against AD until you get SASL itself
working. Check sasl-sample-server and sasl-sample-client. I really wish
svnserve were able to use pam instead of SASL !

2) apache + mod_auth_kerb
At least this is what I thought, but from my tests so far, svn (the client)
is not forwarding the kerberos ticket.

Note: Every time you try to use MIT kerberos against AD, generating keytabs
on the AD server is an issue. That is the advantage of apache +
mod_auth_kerb, it is mature, well documented (see
http://grolmsnet.de/kerbtut/) and relatively easy to setup, if and when
something does not work, you can pretty much assume there is a problem with
your keytabs -

It'd be good if we could get this working and documented properly, I do not
like the alternatives: subversion caches and exchange the password in clear,
and ssh add a huge cost due to encryption - not much for a few co/commit,
but it adds up quickly when say you use an automated software like
cruisecontrol.

-- 
Yves.
http://www.SollerS.ca
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-07-30 15:11:52 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.