On 2008-11-03 15:49, UKASICK, ANDREW (ATTSI) wrote:
> Has anyone been successful in getting svnserve on Linux to authenticate
> against windows active directory? We have multiple windows domains and
> multiple repositories hosted with svnserve via xinetd. Is this even
> possible?? The svnbook suggests it is, but I can't find even one example
> of anyone succeeding. Getting svn to authenticate with cyrus sasl using
> sasldb2 was pretty painless, but turned out to offer nothing in terms of
> greater security around authentication. It allows me to encrypt all svn
> traffic, but authentication was already encrypted and the rest is a
> minor concern. As concerns other authentication mechanisms, either I'm
> blind or the documentation is just terrible to non-existent.
>
>
>
> Objective: Provide a standard authentication mechanism for multiple reps
> and multiple svn versions while using svnserve.
>
>
>
> By "standard authentication mechanism" I mean enforced complexity,
> expirations and enforced password renewals, passwords not viewable (no
> clear text), etc, etc, the usual stuff.
>
Using the GSSAPI module with svnserve backed by Active Directory does work
and does accomplish these goals.
>
> Also, if svn can authenticate using ldap, how does svn know if the user
> trying to authenticate actually has an account in the repository? The
> docs say that when using sasl, the passwd file is ignored. Ldap doesn't
> know anything about svn repositories, so does svn just let anyone in? I
> suppose you could use the authz file to lock things down a bit, but
> that's a major PIA.
>
As far as I know, there's no authorization integration for svnserve and
ldap, so you're kinda stuck with authz files. If you already have an
ldap directory for authorization data, I'd suggest writing a script to
generate authz files automatically from ldap.
>
> Has anyone out there been successful at this or should I stop wasting
> time trying to figure it out? A "how to" posting would be GREATLY
> appreciated.
>
Well, yes, I've been successful authenticating users via Active
Directory to a svnserve repository. I've tried to help others
through the process, but it's certainly awkward, especially since
different clients have different capabilities, and as far as I
know, none of the Windows distributions include SASL GSSAPI support
out of the box.
Unfortuantely, explaining how to configure subversion with respect
to authorization is pretty complicated due to the large number of
options. You have three network protocols, and each of them have
partially overlapping authentication protocols and different
options for controlling authorization. This is closer to a whole
additional chapter in the Subversion book than an email.
--
Alec.Kloss_at_oracle.com Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956
- application/pgp-signature attachment: stored
Received on 2008-11-04 15:01:52 CET