[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Authentication proxy for slave Subversion repos

From: Nico Kadel-Garcia <nkadel_at_gmail.com>
Date: Wed, 29 May 2013 07:54:47 -0400

On Tue, May 28, 2013 at 7:19 PM, Daniel Shahaf <d.s_at_daniel.shahaf.name> wrote:
> Philippe Andersson wrote on Tue, May 28, 2013 at 09:52:10 +0200:
>> Hello list,
>>
>> We're starting to create slave Subversion repos for installation on
>> remote sites. All of them will svnsync against a single central master
>> at headquarters.
>>
>> Now the question: we would like all users on the remote sites to
>> authenticate against the master (to avoid having replicating that info
>> as well to the slave servers). The authentication on the master is
>> handled through Apache.
>>
>> Is it possible to configure the slave servers to proxy the
>> authentication requests against the master ?
>
> It's certainly possible (e.g., if you use LDAP authentication you could
> configure an LDAPAuthURL that points to HQ), but whoever has access to
> the slave's httpd.conf will be able to disable/change those settings.

If I may suggest? You're re-inventing yet another in a whole set of
wheels for high availability support. Why not just buy the whole Land
Rover to start with, talk to our friends and colleagues over at
www.wandisco.com, and check out their commercial support for
multi-master setups for Subversion? With all the work they've done to
provide genuine multi-master support, I'm sure they've devoted good
support to shared authentication. In fact, I'm sure the shared
authentication is built into numerous Apache modules such as mirrored
flat text file account management distrikbuted through cfengine or
chef, LDAP with Kerberos, NIS, or a dozen other services.
Received on 2013-05-29 13:55:22 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.