Johan Corveleyn wrote:
>> Van: Udo Rader [mailto:listudo_at_bestsolution.at]
>> Verzonden: donderdag 20 augustus 2009 18:15
>> I am just in the process of setting up a new repository server.
>> Today access to our repository server is available (only) via
>> webdav_at_https, with each developer having his own X.509 certificate
>> authenticate the https session.
>> Then, in a next step, he is asked for a username & a password (LDAP
>> based), that, upon success, is passed on to mod_dav_svn as a
>> And finally, in order to have fine grained access control, we use
>> mod_authz_svn to restrict who is allowed to do what in the
>> (stored in the AuthzSVNAccessFile flat text file).
>> Now as I am starting from scratch, I am wondering if progress has
>> made to utilize X.509 client authentication for mod_dav_svn and
>> mod_authz_svn because I would really like to get rid of the second
>> authentication stage.
> I don't know about the previous thread, and I'm not 100% sure, but I
> would think that this is pure Apache+SSL business, not Subversion's.
> I mean, shouldn't Apache be able to map the X.509 SSL client auth to
> a username, which is then passed on (like any normal auth mechanism)?
> Why would you need a second authentication step, just to get the
> username? Apache already knows who the user is, doesn't it?
Yes, you are absolutely right :-)
Reviewing mod_ssl options, I found that there is a "FakeBasicAuth"
directive that does exactly this "subject DN to username" type of
Maybe I simply didn't notice it or maybe it has been added recently
(well, our old repository server has been running for 6 years now, so
"recently" is relative :-)
Now the only think remaining is to outsource the AuthzSVNAccessFile into
LDAP, but that probably won't work out so easy.
I am currently thinking about creating some kind of converter script,
dumping the relevant parts of the LDAP DIT as a flat file, being
referenced as the AuthzSVNAccessFile, but that's another story :-)
Anyhow, thanks a lot for your "greater view" on this issue.
Udo Rader, CTO
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-08-21 14:48:36 CEST