[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve, sasl and windows authentication

From: Alec Kloss <alec.kloss_at_oracle.com>
Date: Mon, 8 Sep 2008 09:11:39 -0500

On 2008-09-08 09:35, Matthew Richardson wrote:
> > So, if you're willing to do https:// and use SSPI for windows
> > login, and you can set up mod_auth_kerb, you've got nice
> > single-sign-on for windows. With a bit of work, you can do GSSAPI
> > over svnserve (with MIT Kerberos) and get SSO for Windows domain
> > users as well. Doing GSSAPI with SSPI would require someone to
> > write some real code in Cyrus SASL. Maybe someone already has, but
> > I haven't noticed it.
> Note that the 3rd option, using https:// with apache and mod_auth_krb
> and using GSSAPI rather than SSPI isn't yet possible. That is, you can
> only use the kerberos ticket you get from a domain login, you can't use
> MIT Kerberos client to provide your ticket).
> I've been pushing for this in any one of TortoiseSVN, Svn or the neon
> libraries, but no joy so far...

True, in that everyone's binaries link neon with SSPI not MIT
GSSAPI. You can rebuild neon on Windows to link against MIT, then
rebuild tortoise with that neon, and use MIT GSSAPI instead of
SSPI, which can then use either domain login credentials via the
MSLSA: credentials cache or a MIT API: or FILE: credentials cache.

But, it is a pain to say to everyone, "oh yeah, when you're
accessing our repo, use this funny build of Subversion/Tortoise
instead of the offical one you downloaded."

Alec.Kloss_at_oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956

  • application/pgp-signature attachment: stored
Received on 2008-09-08 16:12:09 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.