On 2008-09-08 09:35, Matthew Richardson wrote:
> > So, if you're willing to do https:// and use SSPI for windows
> > login, and you can set up mod_auth_kerb, you've got nice
> > single-sign-on for windows. With a bit of work, you can do GSSAPI
> > over svnserve (with MIT Kerberos) and get SSO for Windows domain
> > users as well. Doing GSSAPI with SSPI would require someone to
> > write some real code in Cyrus SASL. Maybe someone already has, but
> > I haven't noticed it.
> Note that the 3rd option, using https:// with apache and mod_auth_krb
> and using GSSAPI rather than SSPI isn't yet possible. That is, you can
> only use the kerberos ticket you get from a domain login, you can't use
> MIT Kerberos client to provide your ticket).
> I've been pushing for this in any one of TortoiseSVN, Svn or the neon
> libraries, but no joy so far...
True, in that everyone's binaries link neon with SSPI not MIT
GSSAPI. You can rebuild neon on Windows to link against MIT, then
rebuild tortoise with that neon, and use MIT GSSAPI instead of
SSPI, which can then use either domain login credentials via the
MSLSA: credentials cache or a MIT API: or FILE: credentials cache.
But, it is a pain to say to everyone, "oh yeah, when you're
accessing our repo, use this funny build of Subversion/Tortoise
instead of the offical one you downloaded."
Alec.Kloss_at_oracle.com Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956
Received on 2008-09-08 16:12:09 CEST
- application/pgp-signature attachment: stored