2009/9/21 Alec Kloss <alec.kloss_at_oracle.com>:
> On 2009-09-17 15:54, Tony Butt wrote:
>> On Wed, 2009-09-16 at 21:03 -0500, Derek Hoffman wrote:
>> > Thank you for the reply Andrey.
>> >
>> > I looked into it more realized that it was actually multiple DNS
>> > requests caused by me using a FQDN for the KDC in my krb5.conf file. I
>> > changed it to use the IP address of the KDC instead and everything has
>> > sped up a great deal.
>> >
>> > I'm thinking that I should ask the authors of the apache kerberos module
>> > about this, and get their opinion on it.
>> >
>> > Thanks again,
>> > Derek.
>> >
>> >
>> Derek,
>> We had this exact problem some years ago, and used exactly that
>> solution, which helped. The short answer is, though, you will still be
>> hitting your kerberos provider for each and every request.
>>
>> I had some luck by configuring kerberos for pam, and then using
>> mod_auth_pam to do apache authentication.
>>
>> Eventually, we settled on ldap authentication, apache2.2 ldap is quite
>> solid, and caches 'out of the box'
>>
>> Tony Butt
>> CEA Technologies
>> Canberra, Australia
> [chop]
>
> This means your Subversion clients are using HTTP Basic
> authentication which is handled by mod_auth_kerb. This is a really
> ineffecient way to utilize Kerberos. If you use HTTP Negotiate
> authentication (aka SPNEGO) you should have much faster
> authentication as the server never needs to talk to the KDC at all,
> and your clients will get single sign-on in the process which
> should make them happier. I suggest using an alternate HTTP Basic
> provider in Apache to handle clients that can't do Negotiate such
> as LDAP or SASL to handle the HTTP basic results. I use the SASL
> provider with some success, and it seems to include a cache as well.
>
>
We went with SASL in work for two reasons:
1. it includes caching, and is therefore faster
2. it does not require a read-only account to provide authentication.
(assuming you want to manage authorization from within
apache/subversion... all you need is authentication)
If you are looking for a how to:
Google is your friend: Stephen's Java Adventures How To Apache
Subversion Active Directory
that's a blog post I wrote for setting up authentication against
active directory using sasl, apache and subversion
-Stephen
> --
> Alec.Kloss_at_oracle.com Oracle Middleware
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956
>
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2397507
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-09-21 17:37:30 CEST