Re: svnserve, sasl and windows authentication

From: Alec Kloss <alec.kloss_at_oracle.com>
Date: Fri, 5 Sep 2008 14:30:11 -0500

On 2008-09-05 19:54, Purple Streak wrote:
> Has anyone managed this? I'm just using the windows binaries download from
> tigris (apache 2.2 ones as it happens). And from reading about SASL it
> should be possible to use this to authenticate users with a windows domain.
> However I've tried and I can't find any documentation on how, or rather any
> I can follow!
>
> It seems there would be 2 options, using NTLM or GSSAPI. However I can't
> find anything on getting the NTLM plugin to work, and the GSSAPI plugin
> doesn't seem to be with the binaries, and I can't seem to find it for
> download anywhere.
>
> So my 2 questions are has anyone managed to get either of these working
> (purely on a windows svnserve and client) and is there a reason the GSSAPI
> plugin isn't built with subversion (or is it just not built on windows?)
>
> Thanks

1. Yes. I have saslGSSAPI.dll built and working with svnserver
and MIT Kerberos, which allows a Windows domain user to
authenticate to a svnserve repository using GSSAPI. Getting "NTLM"
working isn't exactly an option, but you don't want to anyway, as
GSSAPI is better. Getting SSPI to do Negotiate/SPNEGO on https://
should work out of the box. Getting Cyrus SASL to link against
SSPI to do GSSAPI is probably a fair bit of work that I haven't
tried to undertake.

So, if you're willing to do https:// and use SSPI for windows
login, and you can set up mod_auth_kerb, you've got nice
single-sign-on for windows. With a bit of work, you can do GSSAPI
over svnserve (with MIT Kerberos) and get SSO for Windows domain
users as well. Doing GSSAPI with SSPI would require someone to
write some real code in Cyrus SASL. Maybe someone already has, but
I haven't noticed it.

2. It's... complicated. There's similar discussion on the Tortoise
list. To get saslGSSAPI.dll to build you need MIT Kerberos
installed, and you need to tweak Cyrus SASL to link against MIT
rather than cybersafe. It isn't terribly difficult, but it's not
stock.

-- 
Alec.Kloss_at_oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956

application/pgp-signature attachment: stored

Received on 2008-09-05 21:30:42 CEST

This message: [ Message body ]
Next message: Karl Fogel: "Re: svn list no working for some working directories"
Previous message: Larry Shatzer, Jr.: "Re: On commit, svn server to change line ending to unix style for .sh files."
In reply to: Purple Streak: "svnserve, sasl and windows authentication"
Next in thread: Purple Streak: "Re: svnserve, sasl and windows authentication"
Reply: Purple Streak: "Re: svnserve, sasl and windows authentication"
Reply: Matthew Richardson: "Re: svnserve, sasl and windows authentication"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]