On 2008-09-16 21:38, Purple Streak wrote:
> 2008/9/16 Alec Kloss <alec.kloss_at_oracle.com>:
> >
> > Don't forget about mod_auth_kerb and/or sasl's GSSAPI plugin.
> >
> > http://modauthkerb.sourceforge.net/
> >
> > http://asg.web.cmu.edu/sasl/
> > http://asg.web.cmu.edu/sasl/sasl-library.html
> >
> > The lovely thing about GSSAPI is that you can do SSO for your Unix
> > and Windows developers (assuming you're using Kerberos in Active
> > Directory, which you probably are).
>
> Except working out how to get GSSAPI running is something that is
> easily available. My current theory is that I could get MIT's
> kerberos and build the GSSAPI plugin from the sasl library. I hope to
> test this theory one day soon. However there's still not much on how
> to configure it once I do that - and even then it looks like SVN
> windows binaries were built with Studio .NET 2002 (from the version of
> msvcrt.dll it uses) which I've not run for years now so I'd have to
> build my own SVN from source - oh and then a build which matches with
> tortoisesvn as well which means people can't just download the usual
> installer from the web and have it work
>
> So unless there are simple instructions for getting this done that
> i've missed then the GSSAPI option isn't really viable for windows
> people at least. Like I say I'd love to work out how to do it but
> it's not just a install and it runs thing.
Well, it's simple on Unix ;)
If you're using svnserve with GSSAPI authentication, it's not too
difficult. You need to build in saslGSSAPI.dll. Cyrus
SASL wants to use CyberSafe Kerberos, but simple modifications to
the Makefiles are sufficient to get it to build with MIT. Then,
you just have to rebundle the subversion client with saslGSSAPI.dll
and enough of MIT Kerberos to make things work.
Getting https working with GSSAPI on the other hand is a lot
harder. You have to adjust and rebuild neon, rebuild subversion,
probably rebuild tortoise since your users probably want it, and so
on. I'm hoping to someday get MIT GSSAPI support included in more
binary subversion distros, but the svn people, the tortoise people,
myself, and others of course only have so much time to devote.
And all of this assumes you know your way around MIT Kerberos
and Active Directory's Kerberos reasonably well, and can set up the
Kerb infrastructure correctly.
See... easy right? Well, maybe someday it will be.
--
Alec.Kloss_at_oracle.com Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956
- application/pgp-signature attachment: stored
Received on 2008-09-16 22:55:27 CEST