[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Help: Apache2, Kerberos, AD, caching authentication?

From: Stephen Connolly <stephen.alan.connolly_at_gmail.com>
Date: Mon, 21 Sep 2009 16:36:47 +0100

2009/9/21 Alec Kloss <alec.kloss_at_oracle.com>:
> On 2009-09-17 15:54, Tony Butt wrote:
>> On Wed, 2009-09-16 at 21:03 -0500, Derek Hoffman wrote:
>> > Thank you for the reply Andrey.
>> >
>> > I looked into it more realized that it was actually multiple DNS
>> > requests caused by me using a FQDN for the KDC in my krb5.conf file. I
>> > changed it to use the IP address of the KDC instead and everything has
>> > sped up a great deal.
>> >
>> > I'm thinking that I should ask the authors of the apache kerberos module
>> > about this, and get their opinion on it.
>> >
>> > Thanks again,
>> > Derek.
>> >
>> >
>> Derek,
>> We had this exact problem some years ago, and used exactly that
>> solution, which helped. The short answer is, though, you will still be
>> hitting your kerberos provider for each and every request.
>> I had some luck by configuring kerberos for pam, and then using
>> mod_auth_pam to do apache authentication.
>> Eventually, we settled on ldap authentication, apache2.2 ldap is quite
>> solid, and caches 'out of the box'
>> Tony Butt
>> CEA Technologies
>> Canberra, Australia
> [chop]
> This means your Subversion clients are using HTTP Basic
> authentication which is handled by mod_auth_kerb.  This is a really
> ineffecient way to utilize Kerberos.  If you use HTTP Negotiate
> authentication (aka SPNEGO) you should have much faster
> authentication as the server never needs to talk to the KDC at all,
> and your clients will get single sign-on in the process which
> should make them happier.  I suggest using an alternate HTTP Basic
> provider in Apache to handle clients that can't do Negotiate such
> as LDAP or SASL to handle the HTTP basic results.  I use the SASL
> provider with some success, and it seems to include a cache as well.

We went with SASL in work for two reasons:

1. it includes caching, and is therefore faster
2. it does not require a read-only account to provide authentication.
(assuming you want to manage authorization from within
apache/subversion... all you need is authentication)

If you are looking for a how to:

Google is your friend: Stephen's Java Adventures How To Apache
Subversion Active Directory

that's a blog post I wrote for setting up authentication against
active directory using sasl, apache and subversion


> --
> Alec.Kloss_at_oracle.com                   Oracle Middleware
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956


To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-09-21 17:37:30 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.