[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve, sasl and windows authentication

From: Alec Kloss <alec.kloss_at_oracle.com>
Date: Fri, 5 Sep 2008 14:30:11 -0500

On 2008-09-05 19:54, Purple Streak wrote:
> Has anyone managed this? I'm just using the windows binaries download from
> tigris (apache 2.2 ones as it happens). And from reading about SASL it
> should be possible to use this to authenticate users with a windows domain.
> However I've tried and I can't find any documentation on how, or rather any
> I can follow!
>
> It seems there would be 2 options, using NTLM or GSSAPI. However I can't
> find anything on getting the NTLM plugin to work, and the GSSAPI plugin
> doesn't seem to be with the binaries, and I can't seem to find it for
> download anywhere.
>
> So my 2 questions are has anyone managed to get either of these working
> (purely on a windows svnserve and client) and is there a reason the GSSAPI
> plugin isn't built with subversion (or is it just not built on windows?)
>
> Thanks

1. Yes. I have saslGSSAPI.dll built and working with svnserver
and MIT Kerberos, which allows a Windows domain user to
authenticate to a svnserve repository using GSSAPI. Getting "NTLM"
working isn't exactly an option, but you don't want to anyway, as
GSSAPI is better. Getting SSPI to do Negotiate/SPNEGO on https://
should work out of the box. Getting Cyrus SASL to link against
SSPI to do GSSAPI is probably a fair bit of work that I haven't
tried to undertake.

So, if you're willing to do https:// and use SSPI for windows
login, and you can set up mod_auth_kerb, you've got nice
single-sign-on for windows. With a bit of work, you can do GSSAPI
over svnserve (with MIT Kerberos) and get SSO for Windows domain
users as well. Doing GSSAPI with SSPI would require someone to
write some real code in Cyrus SASL. Maybe someone already has, but
I haven't noticed it.

2. It's... complicated. There's similar discussion on the Tortoise
list. To get saslGSSAPI.dll to build you need MIT Kerberos
installed, and you need to tweak Cyrus SASL to link against MIT
rather than cybersafe. It isn't terribly difficult, but it's not
stock.

-- 
Alec.Kloss_at_oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956

  • application/pgp-signature attachment: stored
Received on 2008-09-05 21:30:42 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.