RE: NTLM lookup within hook script

Thanks Kevin. Can you confirm what size repository you're using? Thousands of files? At least a few hundred revisions and no performance problems with svn log (and not using any sort of log caching)?

Also I'm confused by the SSPIPerRequestAuth. Looking at http://svn-summit.open.collab.net/wiki/RoundTableFeedback I see this:

* SSPI reprompting for auth credentials too often. (Once per Apache child? Subversion creates too many RA sessions?)

* SSPI re-authenticates automatically. The mod_auth_sspi module has an option "SSPIPerRequestAuth on" that, if turned on reduces the re-authentication to once per session. If turned off (the default), it re-authenticates a lot more

It sounds like the SSPIPerRequestAuth is more "chatty" if turned off, so it sounds like you would want it on. See also

http://svn.haxx.se/tsvnusers/archive-2008-07/1073.shtml

where it says

>> this will make SSPI only require new authentication for every request,
>> not every datapacket sent.

So I don't see how having SSPIPerRequestAuth off could be a good thing.

--Todd

________________________________

From: kmradke_at_rockwellcollins.com [mailto:kmradke_at_rockwellcollins.com]
Sent: Wednesday, October 22, 2008 9:27 AM
To: Gleason, Todd
Cc: Miha Vitorovic; SubVersion Users
Subject: RE: NTLM lookup within hook script

"Gleason, Todd" <tgleason_at_impac.com> wrote on 10/22/2008 06:33:44 AM:
> Someone can correct me if I'm wrong, but I understood it to be the case that
> using Apache to do path-based security would cause extreme performance
> problems with Subversion. Basically I thought that lookups would be done on
> every svn path for operations like svn log, update, and checkout, which is a
> dealbreaker since within a given repo we want uniform read access, and high
> performance. I thought this was one of the big reasons behind svnperms. Did
> I misunderstand?

svnperms allows "action" based controls, such as add, but not delete, etc.
Path based only allows for R/O or R/W access.

If you are on windows, you may also want to check out visualsvn server:
http://www.visualsvn.com/server/

It has a graphical management console to add/remove permissions on a
per directory basis and will talk directly to your Active Directory server.
(Similar authentication to mod_auth_sspi)

I haven't seen extreme performance problems using mod_auth_sspi.
You will want to make sure to use "SSPIPerRequestAuth Off" in
your config file though.

Kevin R.

> From: Miha Vitorovic [mailto:mvitorovic_at_nil.si]
> Sent: Tuesday, October 21, 2008 11:26 PM
> To: Gleason, Todd
> Cc: SubVersion Users
> Subject: Re: NTLM lookup within hook script
>
>
> "Gleason, Todd" <tgleason_at_impac.com> wrote on 22.10.2008 04:36:28:
>
> > I'm trying to write a pre-commit hook script along the lines of
> > svnperms. The script needs to do an NTLM lookup on the user
> >
> > The svn server is version 1.5.2 with Apache, running on a Windows
> > server. I'm hoping to implement the script in Python though I don't
> > mind if I have to call into something else for the NTLM lookup.
>
> Todd,
>
> since you're on Apache, aren't you basically trying to reinvent the wheel (
> http://sourceforge.net/projects/mod-auth-sspi)?
>
> Br,
> ---
> Miha Vitorovic
> Inženir v tehničnem področju
> Customer Support Engineer
>
> NIL Data Communications, Tivolska cesta 48, 1000 Ljubljana, Slovenia
> Phone +386 1 4746 500 Fax +386 1 4746 501 http://www.NIL.si
Received on 2008-10-23 16:59:58 CEST