Hi Alec, Thanks for your encouraging response!
We're hosting our svn reps on RHELinux, so I believe I have all the
necessary components, I just don't know how to put it all together. We
also have JIRA authenticating against active directory via ldap on the
same server just fine.
Automating the generation of the authz files is no problem.
Could you give me an outline of what you did to get that working? Then I
can see how far I get and maybe ask you some questions if I get
completely stonewalled somewhere. Also, could you share a copy of all
the relevant config files (sanitized as needed)?
I hate to be a pain, so I hope that wouldn't be too much trouble. If I
get this going, maybe I can write up a guide and post it here for future
generations. ;)
Thanks again.
Andrew Ukasick
Andrew.Ukasick_at_att.com
-----Original Message-----
From: Alec Kloss [mailto:alec.kloss_at_oracle.com]
Sent: Tuesday, November 04, 2008 8:01 AM
To: UKASICK, ANDREW (ATTSI)
Cc: users_at_subversion.tigris.org
Subject: Re: svnserve authentication via windows active directory
On 2008-11-03 15:49, UKASICK, ANDREW (ATTSI) wrote:
> Has anyone been successful in getting svnserve on Linux to
authenticate
> against windows active directory? We have multiple windows domains and
> multiple repositories hosted with svnserve via xinetd. Is this even
> possible?? The svnbook suggests it is, but I can't find even one
example
> of anyone succeeding. Getting svn to authenticate with cyrus sasl
using
> sasldb2 was pretty painless, but turned out to offer nothing in terms
of
> greater security around authentication. It allows me to encrypt all
svn
> traffic, but authentication was already encrypted and the rest is a
> minor concern. As concerns other authentication mechanisms, either I'm
> blind or the documentation is just terrible to non-existent.
>
>
>
> Objective: Provide a standard authentication mechanism for multiple
reps
> and multiple svn versions while using svnserve.
>
>
>
> By "standard authentication mechanism" I mean enforced complexity,
> expirations and enforced password renewals, passwords not viewable (no
> clear text), etc, etc, the usual stuff.
>
Using the GSSAPI module with svnserve backed by Active Directory does
work
and does accomplish these goals.
>
> Also, if svn can authenticate using ldap, how does svn know if the
user
> trying to authenticate actually has an account in the repository? The
> docs say that when using sasl, the passwd file is ignored. Ldap
doesn't
> know anything about svn repositories, so does svn just let anyone in?
I
> suppose you could use the authz file to lock things down a bit, but
> that's a major PIA.
>
As far as I know, there's no authorization integration for svnserve and
ldap, so you're kinda stuck with authz files. If you already have an
ldap directory for authorization data, I'd suggest writing a script to
generate authz files automatically from ldap.
>
> Has anyone out there been successful at this or should I stop wasting
> time trying to figure it out? A "how to" posting would be GREATLY
> appreciated.
>
Well, yes, I've been successful authenticating users via Active
Directory to a svnserve repository. I've tried to help others
through the process, but it's certainly awkward, especially since
different clients have different capabilities, and as far as I
know, none of the Windows distributions include SASL GSSAPI support
out of the box.
Unfortunately, explaining how to configure subversion with respect
to authorization is pretty complicated due to the large number of
options. You have three network protocols, and each of them have
partially overlapping authentication protocols and different
options for controlling authorization. This is closer to a whole
additional chapter in the Subversion book than an email.
--
Alec.Kloss_at_oracle.com Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-11-07 20:21:42 CET