[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: mod_dav_svn & X.509 certificate authorization

From: Udo Rader <listudo_at_bestsolution.at>
Date: Fri, 21 Aug 2009 14:47:36 +0200

Johan Corveleyn wrote:
>> Van: Udo Rader [mailto:listudo_at_bestsolution.at]
>> Verzonden: donderdag 20 augustus 2009 18:15
>> Hi,
>> I am just in the process of setting up a new repository server.
>> Today access to our repository server is available (only) via
>> webdav_at_https, with each developer having his own X.509 certificate
>> to
>> authenticate the https session.
>> Then, in a next step, he is asked for a username & a password (LDAP
>> based), that, upon success, is passed on to mod_dav_svn as a
>> username.
>> And finally, in order to have fine grained access control, we use
>> mod_authz_svn to restrict who is allowed to do what in the
>> repository
>> (stored in the AuthzSVNAccessFile flat text file).
>> Now as I am starting from scratch, I am wondering if progress has
>> been
>> made to utilize X.509 client authentication for mod_dav_svn and
>> mod_authz_svn because I would really like to get rid of the second
>> authentication stage.
> I don't know about the previous thread, and I'm not 100% sure, but I
> would think that this is pure Apache+SSL business, not Subversion's.
> I mean, shouldn't Apache be able to map the X.509 SSL client auth to
> a username, which is then passed on (like any normal auth mechanism)?
> Why would you need a second authentication step, just to get the
> username? Apache already knows who the user is, doesn't it?

Yes, you are absolutely right :-)

Reviewing mod_ssl options, I found that there is a "FakeBasicAuth"
directive that does exactly this "subject DN to username" type of

Maybe I simply didn't notice it or maybe it has been added recently
(well, our old repository server has been running for 6 years now, so
"recently" is relative :-)

Now the only think remaining is to outsource the AuthzSVNAccessFile into
LDAP, but that probably won't work out so easy.

I am currently thinking about creating some kind of converter script,
dumping the relevant parts of the LDAP DIT as a flat file, being
referenced as the AuthzSVNAccessFile, but that's another story :-)

Anyhow, thanks a lot for your "greater view" on this issue.

Udo Rader, CTO
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-08-21 14:48:36 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.