[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

NTLM authentication in subversion 1.9.0?

From: Grabner Markus <Markus.Grabner_at_alicona.com>
Date: Thu, 10 Sep 2015 15:46:16 +0000

        Hi!

I tried to setup apache-2.4 + subversion-1.9.0 + mod_authn_ntlm on Windows to implement a subversion server with single sign-on, and finally found a working configuration (see below). However, the configuration contains the deprecated "Satisfy" directive, I therefore have some questions:

*) The subversion apache module in version 1.9.0 only works with the "Satisfy Any" directive as given below. When removing it, I always get an authentication error when trying to access the repository. However, in version 1.8.13 the module works fine without the "Satisfy Any" directive and otherwise identical configuration. Is this a bug in 1.8.13 (being too permissive), a bug in 1.9.0 (being too restrictive), or did anything else change between 1.8.13 and 1.9.0 justifying the different behaviour?

*) In case it is indeed desired behaviour to disallow NTLM authentication without "Satisfy Any", how can the deprecated "Satisfy" directive be rewritten using corresponding apache-2.4 directives (such as "Require")?

*) Does anybody know whether this issue is fixed in version 1.9.1? I found binary distributions for 1.8.13 and 1.9.0, but not for 1.9.1.

        Thanks & kind regards,
                Markus Grabner

P.S.: This is the configuration entry for the subversion module:

<Location /svn>
  DAV svn
  SVNListParentPath On
  SVNParentPath "D:/path/to/repositories"
  AuthName "Subversion repositories"
  AuthzSVNAccessFile "D:/path/to/repositories/svn-access-file"
  AuthType SSPI
  NTLMAuth On
  NTLMAuthoritative On
  NTLMOfferBasic On
  NTLMBasicPreferred Off
  NTLMOmitDomain On
  NTLMUsernameCase lower
  Satisfy Any
  Require valid-user
</Location>
Received on 2015-09-10 17:46:28 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.