> -----Original Message-----
> From: Itamar O [mailto:itamarost_at_gmail.com]
> Sent: 23 July 2010 09:26
> To: users
> Subject: Subversion authentication with SSPI
>
> Hi list,
>
> I am currently successfully using mod_sspi to authenticate
> users against our domain controller (everything is windows here).
> After authentication, Apache passes the sAMAccountName to
> mod_dav_svn as the user name,
> and this is the name that I use for authorization and the
> name that appears in the logs.
>
> Our IT department is planning to change the sAMAccountName
> for all users according to a new policy-
> instead of a short name (like ItamarO) it will be the
> employer serial number.
> The old short name will still be accessible via another AD
> field (mailNickname).
>
> My question is whether there's a way to tell Subversion to
> query the AD server and use the name from mailNickname,
> instead of using whatever mod_sspi passes on.
> Alternatively, configuring mod_sspi to send mailNickname
> instead of sAMAccountName should also do the trick,
> so either solution is acceptable.
>
> (env info: Subversion 1.6.12, Apache 2.2.15, mod_sspi 1.0.4)
>
> Any ideas?
> Thanks,
> Itamar.
>
I think your options currently are:
1/ rebuild sspi to do what you want (it needs a new maintainer anyway!)
2/ switch to the full-blown LDAP plugin.
I have shied away from (2) because (1) works ok and I've not managed to
work out what all the bits should be to even authenticate to our AD
server *sigh*
If anyone knows of a good primer to getting in to all this DC= stuff and
how to work out what it should be when your local admins don't know I
would love to read it.
~ mark c
Received on 2010-07-26 11:23:31 CEST