On Wed, May 29, 2013 at 3:03 AM, Philippe Andersson <pan_at_iba-group.com> wrote:
> Hello Daniel,
>
> Thanks a lot for your reply, first of all.
>
> On 29/05/13 01:19, Daniel Shahaf wrote:
>> Philippe Andersson wrote on Tue, May 28, 2013 at 09:52:10 +0200:
>>> Hello list,
>>>
>>> We're starting to create slave Subversion repos for installation on
>>> remote sites. All of them will svnsync against a single central master
>>> at headquarters.
>>>
>>> Now the question: we would like all users on the remote sites to
>>> authenticate against the master (to avoid having replicating that info
>>> as well to the slave servers). The authentication on the master is
>>> handled through Apache.
>>>
>>> Is it possible to configure the slave servers to proxy the
>>> authentication requests against the master ?
>>
>> It's certainly possible (e.g., if you use LDAP authentication you could
>> configure an LDAPAuthURL that points to HQ),
> In our case, we use "AuthType Basic" on the master server, so there is
> no URL, just paths to the users and groups file. The password file for
> the Subversion users is generated by a script based on the NIS password
> file. Would it work in this case as well ?
>
>> but whoever has access to
>> the slave's httpd.conf will be able to disable/change those settings.
> This is of no real consequence to us, as we can trust the sysadmins for
> the remote replicas.
>
> Cheers. Bye.
>
> Ph. A.
As long as you've got consistent NIS services int he reomte site,
sure. You can even run an NIS slave remotely to stay mirrored to
upstream, and consider running the lemote repositories as read-only
repositories. But NIS is becoming really seriously outdated. And its
support for local root users to do "ypcat shadow" and then run
best-guess password crackers against the encrypted passwords is a long
standing security risk.
Received on 2013-05-29 13:59:32 CEST