Re: Kerberos + basic auth with Apache (path based)

From: Alec Kloss <alec.kloss_at_oracle.com>
Date: Wed, 8 Apr 2009 08:32:46 -0500

On 2009-04-08 13:40, Daniel Klaffenbach wrote:
> I am running Scientific Linux 5.2 with subversion 1.4.2 and apache
> 2.2.3. The subversion repositories reside in /var/www/svn and are
> being served with mod_dav_svn.
>
> The users should be authenticated with Kerberos. If Kerberos fails, I
> want subversion to check the REPONAME/conf/authz and passwd file for
> manually added users. Since we are going to have ~200 repositories I
> cannot keep all the users in one authz file.
>
> How do I have to set up apache to parse all the authz files in the
> different repositories?
>
> The Kerberos part kind of works with
> AuthzSVNAccessFile /var/www/svn_authz
> but obviously I cannot keep all the user information in there. Users
> should also be able to add non-Kerberos users and configure access for
> krb and non-krb users.
>
> Any ideas?
>

Your question, "how do I get Apache to use multiple authentication
modules?", is more of an Apache+mod_auth_kerb question than a
Subversion question. I've not found a satisfactory answer for
Apache 2.2 + mod_auth_kerb so I've pieced together my own patches
to Apache 2.2.9 and mod_auth_kerb 5.3 which can do this. YMMV.

Here's the jist of the changes:

httpd-2.2.9/server/request.c:
        Change authorization checking to enable authorization when any
        authorization header is found, not just when the location
        requires authentication.

httpd-2.2.9/modules/aaa/mod_auth_basic.c:
        Add a AuthBasicLazy flag, which when true, enables
        mod_auth_basic on any request with a "Authorization: basic"
        header.

mod_auth_kerb-5.3/src/mod_auth_kerb.c:
Changes to make Kerberos less authoratative to allow basic auth
from other modules to succeed.

Are there any Apache folks around who have any thoughts about this?

% openssl sha1 apache22-request-auth-header-patch apache-mod_auth_basic-svn+authoratative.patch mod_auth_kerb-svn+basic.patch
SHA1(apache22-request-auth-header-patch)= 85b4e44c3c88f791c3475a4461533db9db3ae4ee
SHA1(apache-mod_auth_basic-svn+authoratative.patch)= ad2914b5422daedf4bf3bd498a87b3ac5f5255d3
SHA1(mod_auth_kerb-svn+basic.patch)= b659e2d1bfe1d30d3833bfbeea8558b3194ecc85

-- 
Alec.Kloss_at_oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956

text/x-diff attachment: apache22-request-auth-header-patch

text/x-diff attachment: apache-mod_auth_basic-svn_authoratative.patch

text/x-diff attachment: mod_auth_kerb-svn_basic.patch

application/pgp-signature attachment: stored

Received on 2009-04-08 15:33:50 CEST

This message: [ Message body ]
Next message: Andrey Repin: "Re: Using http:// URL that contains a username"
Previous message: Jim Hanley: "Re: Using http:// URL that contains a username"
In reply to: Daniel Klaffenbach: "Kerberos + basic auth with Apache (path based)"
Next in thread: Daniel Klaffenbach: "Re: Kerberos + basic auth with Apache (path based)"
Reply: Daniel Klaffenbach: "Re: Kerberos + basic auth with Apache (path based)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]