[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: mod_dav_svn & X.509 certificate authorization

From: Johan Corveleyn <johan.corveleyn_at_uz.kuleuven.ac.be>
Date: Fri, 21 Aug 2009 10:17:10 +0200

> Van: Udo Rader [mailto:listudo_at_bestsolution.at]
> Verzonden: donderdag 20 augustus 2009 18:15
> Hi,
> I am just in the process of setting up a new repository server.
> Today access to our repository server is available (only) via
> webdav_at_https, with each developer having his own X.509 certificate
> to
> authenticate the https session.
> Then, in a next step, he is asked for a username & a password (LDAP
> based), that, upon success, is passed on to mod_dav_svn as a
> username.
> And finally, in order to have fine grained access control, we use
> mod_authz_svn to restrict who is allowed to do what in the
> repository
> (stored in the AuthzSVNAccessFile flat text file).
> Now as I am starting from scratch, I am wondering if progress has
> been
> made to utilize X.509 client authentication for mod_dav_svn and
> mod_authz_svn because I would really like to get rid of the second
> authentication stage.

I don't know about the previous thread, and I'm not 100% sure, but I would think that this is pure Apache+SSL business, not Subversion's. I mean, shouldn't Apache be able to map the X.509 SSL client auth to a username, which is then passed on (like any normal auth mechanism)? Why would you need a second authentication step, just to get the username? Apache already knows who the user is, doesn't it?

I haven't done SSL client auth for a while, but I guess that there are a couple of ways to infer a username from a client certificate:
- either use the subject DN from the certificate as username, or a part of it (CN?, email?). Or some other certificate attribute.
- or, if you have your own PKI infrastructure, there should be ways to look up the real username in an LDAP, using the subject DN from the client cert.

In an Apache+SVN scenario, Subversion really doesn't care how Apache authenticated the user, as long as Apache communicates the username to mod_dav_svn (like with any other auth mechanism).

> Even better, I would also like to migrate the AuthzSVNAccessFile
> into LDAP.
> Any news on that (I remember a thread on this years ago ... :-)

I don't know, but I'm sure other SVN users have also had this question, and maybe some have come up with nice working solutions for this. So maybe someone else can comment on this...



To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-08-21 10:18:14 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.