[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Help: Apache2, Kerberos, AD, caching authentication?

From: Alec Kloss <alec.kloss_at_oracle.com>
Date: 21 Sep 2009 08:30:56 -0500

On 2009-09-17 15:54, Tony Butt wrote:
> On Wed, 2009-09-16 at 21:03 -0500, Derek Hoffman wrote:
> > Thank you for the reply Andrey.
> >
> > I looked into it more realized that it was actually multiple DNS
> > requests caused by me using a FQDN for the KDC in my krb5.conf file. I
> > changed it to use the IP address of the KDC instead and everything has
> > sped up a great deal.
> >
> > I'm thinking that I should ask the authors of the apache kerberos module
> > about this, and get their opinion on it.
> >
> > Thanks again,
> > Derek.
> >
> >
> Derek,
> We had this exact problem some years ago, and used exactly that
> solution, which helped. The short answer is, though, you will still be
> hitting your kerberos provider for each and every request.
> I had some luck by configuring kerberos for pam, and then using
> mod_auth_pam to do apache authentication.
> Eventually, we settled on ldap authentication, apache2.2 ldap is quite
> solid, and caches 'out of the box'
> Tony Butt
> CEA Technologies
> Canberra, Australia

This means your Subversion clients are using HTTP Basic
authentication which is handled by mod_auth_kerb. This is a really
ineffecient way to utilize Kerberos. If you use HTTP Negotiate
authentication (aka SPNEGO) you should have much faster
authentication as the server never needs to talk to the KDC at all,
and your clients will get single sign-on in the process which
should make them happier. I suggest using an alternate HTTP Basic
provider in Apache to handle clients that can't do Negotiate such
as LDAP or SASL to handle the HTTP basic results. I use the SASL
provider with some success, and it seems to include a cache as well.

Alec.Kloss_at_oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956

  • application/pgp-signature attachment: stored
Received on 2009-09-21 15:31:56 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.