[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Help: Apache2, Kerberos, AD, caching authentication?

From: Tony Butt <Tony.Butt_at_cea.com.au>
Date: Tue, 22 Sep 2009 10:33:51 +1000

On Mon, 2009-09-21 at 08:30 -0500, Alec Kloss wrote:
> On 2009-09-17 15:54, Tony Butt wrote:
> > On Wed, 2009-09-16 at 21:03 -0500, Derek Hoffman wrote:
> > > Thank you for the reply Andrey.
> > >
> > > I looked into it more realized that it was actually multiple DNS
> > > requests caused by me using a FQDN for the KDC in my krb5.conf file. I
> > > changed it to use the IP address of the KDC instead and everything has
> > > sped up a great deal.
> > >
> > > I'm thinking that I should ask the authors of the apache kerberos module
> > > about this, and get their opinion on it.
> > >
> > > Thanks again,
> > > Derek.
> > >
> > >
> > Derek,
> > We had this exact problem some years ago, and used exactly that
> > solution, which helped. The short answer is, though, you will still be
> > hitting your kerberos provider for each and every request.
> >
> > I had some luck by configuring kerberos for pam, and then using
> > mod_auth_pam to do apache authentication.
> >
> > Eventually, we settled on ldap authentication, apache2.2 ldap is quite
> > solid, and caches 'out of the box'
> >
> > Tony Butt
> > CEA Technologies
> > Canberra, Australia
> [chop]
>
> This means your Subversion clients are using HTTP Basic
> authentication which is handled by mod_auth_kerb. This is a really
> ineffecient way to utilize Kerberos. If you use HTTP Negotiate
> authentication (aka SPNEGO) you should have much faster
> authentication as the server never needs to talk to the KDC at all,
> and your clients will get single sign-on in the process which
> should make them happier. I suggest using an alternate HTTP Basic
> provider in Apache to handle clients that can't do Negotiate such
> as LDAP or SASL to handle the HTTP basic results. I use the SASL
> provider with some success, and it seems to include a cache as well.
>
>
I tried for some weeks to get SPNEGO to work correctly, and eventually
gave up in disgust.

My final mod_auth_kerb config looked like this

  AuthType Kerberos
  Krb5Keytab /etc/apache2/apache.ktab
  KrbAuthRealms CEA.COM.AU
  KrbServiceName HTTP
  KrbMethodNegotiate on
  KrbServiceName HTTP/lion.cea.com.au_at_CEA.COM.AU

But negotiate was refused, form both Firefox (with the firefox config
set correctly, I think), and the svn client at the time (1.3.x)

If you have any better advice on how to make this work, I am all ears,
as I would much prefer that to ldap.

Tony

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2397636

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].

Received on 2009-09-22 02:50:53 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.