[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Multiple authentication sources

From: Frank Gruman <fgatwork_at_verizon.net>
Date: Wed, 10 Dec 2008 02:53:30 -0500

On Wed, 2008-12-10 at 14:09 +0900, Craig McQueen wrote:

> Frank Gruman wrote:
>
> > On Mon, 2008-12-08 at 11:24 +0900, Craig McQueen wrote:
> >
> >
> > > Frank Gruman wrote:
> > >
> > >
> > > > On Fri, 2008-12-05 at 13:29 -0600, Alec Kloss wrote:
> > > >
> > > >
> > > >
> > > > > On 2008-12-05 10:55, Craig McQueen wrote
> > > >
> > > > I've successfully implemented multiple authentication sources, but I
> > > > believe the current limitation (until Apache 2.3/2.4 is released) is
> > > > that they must all be of the same type (AuthType Basic or AuthType
> > > > SSPI). In my case, I was able to do basic authentication with a file
> > > > and LDAP.
> > > >
> > > > But I thought it would still be possible. I found a sample config here
> > > > -
> > > > http://osdir.com/ml/version-control.subversion.ankhsvn.general/2006-04/msg00037.html
> > > >
> > > >
> > > > <Location /svn/>
> > > > DAV svn
> > > > SVNParentPath "/srv/svn/my_projects"
> > > >
> > > > AuthName "Subversion Repositories"
> > > > Require valid-user #this is all authenticated users on
> > > > domain
> > > > AuthAuthoritative Off #enables multiple authorities
> > > >
> > > > AuthType SSPI
> > > > SSPIAuth On
> > > > SSPIAuthoritative Off
> > > > #SSPIAuthoritative On - Forces only SSPI auth, skips passwd
> > > > file
> > > > SSPIOmitDomain On
> > > > SSPIDomain MY_AD_DOMAIN
> > > > SSPIOfferBasic On
> > > >
> > > > AuthType Basic
> > > > AuthUserFile "/srv/svn/auth/basic_users"
> > > >
> > > > AuthzSVNAccessFile "/srv/svn/auth/svn_users"
> > > >
> > > > </Location>
> > > >
> > > > Regards,
> > > > Frank
> > > >
> > > >
> > >
> > > That configuration looks like it's good for Apache 2.0, but not 2.2.
> > > The "AuthAuthoritative" directive is no longer used in 2.2. My
> > > configuration looks very similar to that, except that instead of
> > > AuthAuthoritative, I have AuthBasicAuthoritative. But it doesn't work,
> > > as I previously described. Does anyone have a configuration that works
> > > specifically on Apache 2.2?
> > >
> > > Regards,
> > > Craig McQueen
> > >
> > >
> > >
> > >
> >
> > Ahh - so right you are on the version - sorry for wasting your cycles...
> >
> > Could you post the relevant portion of your config file for us to look
> > at? The only thing that I can really see that mattered in the notes on
> > the link you provided in your original post is to make sure to specify
> > that neither authentication mechanism is to be authoritative. Had I not
> > read the instructions twice (or thrice) I would have missed that in my
> > own configuration.
> >
> > At the very least, if you can't see the issue perhaps another on the
> > list will see the nefarious command keeping you from your goals.
> >
> > Regards,
> > Frank
> >
> >
>
> Here it is:
>
> <Location /svn/>
> Options Indexes FollowSymLinks
>
> DAV svn
> SVNListParentPath on
> SVNParentPath C:/SVN/Repositories
> #SVNIndexXSLT "/svnindex.xsl"
> SSLRequireSSL
>
> # Keep these in sync with location /websvn below
> AuthName "Subversion repositories"
>
> AuthType Basic
> AuthBasicAuthoritative Off
> AuthUserFile c:/SVN/conf/htpasswd
>
> AuthType SSPI
> SSPIAuth On
> SSPIAuthoritative Off
> SSPIDomain OURDOMAIN
> #SSPIOmitDomain on
> #SSPIUsernameCase lower
> #SSPIPerRequestAuth on
> SSPIOfferBasic On
>
> Require valid-user
> #SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
>
> SVNPathAuthz Off
> #AuthzSVNAccessFile c:\SVN\conf\svnaccessfile
> </Location>
>
>

Excellent! Thanks for posting back and letting us all know what worked!

Regards,
Frank

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=982054

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2008-12-10 08:54:29 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.