[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Help: Apache2, Kerberos, AD, caching authentication?

From: Tony Butt <Tony.Butt_at_cea.com.au>
Date: Thu, 17 Sep 2009 15:54:45 +1000

On Wed, 2009-09-16 at 21:03 -0500, Derek Hoffman wrote:
> Thank you for the reply Andrey.
>
> I looked into it more realized that it was actually multiple DNS
> requests caused by me using a FQDN for the KDC in my krb5.conf file. I
> changed it to use the IP address of the KDC instead and everything has
> sped up a great deal.
>
> I'm thinking that I should ask the authors of the apache kerberos module
> about this, and get their opinion on it.
>
> Thanks again,
> Derek.
>
>
Derek,
We had this exact problem some years ago, and used exactly that
solution, which helped. The short answer is, though, you will still be
hitting your kerberos provider for each and every request.

I had some luck by configuring kerberos for pam, and then using
mod_auth_pam to do apache authentication.

Eventually, we settled on ldap authentication, apache2.2 ldap is quite
solid, and caches 'out of the box'

Tony Butt
CEA Technologies
Canberra, Australia
>
> On Wed, 2009-09-16 at 16:43 -0500, Andrey Repin wrote:
> > Greetings, Hoffman, Derek A.!
> >
> > > Background: My server is using Kerberos to authenticate users
> > against an
> > > Active Directory server. Our typical repository contains 50 to 200
> > mix
> > > format files (e.g. word docs, excel, visio, bitmaps, text files,
> > etc.).
> >
> > > Issue: There's a substantial delay when checking out, committing, or
> > > updating. I believe Apache is doing a Kerberos authentication for
> > EVERY
> > > file within the repo when doing a checkout or commit.
> >
> > To my knowledge, this shouldn't be an issue, unless you separately
> > requesting
> > each file.
> > Have no real experience with Apache/KRB auth, though...
> >
> > > Netstat on the svn
> > > server shows a large number of connections to the AD Server in the
> > > WAITING state. There is a slight delay (maybe 0.5s) for Kerberos
> > > authentication (svn server is in a separate city from the AD server
> > and
> > > must traverse corporate WAN).
> >
> > > Question: Is there any sort of method that would allow the apache
> > server
> > > to cache these Kerberos authentications so that it wouldn't have to
> > > perform an authentication request for every file?
> >
> >
> > --
> > WBR,
> > Andrey Repin (anrdaemon_at_freemail.ru) 17.09.2009, <1:42>
> >
> > Sorry for my terrible english...
> >
> >
> >
>
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2395788
>
> To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2395822

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].

Received on 2009-09-17 07:57:33 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.