httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas Fazekas" <thomas.faze...@gmail.com>
Subject Re: [users@httpd] svn access via apache with ntlm authentication
Date Mon, 22 Oct 2007 17:46:53 GMT
Thanks for all the hints, finally I got it working with LDAP authentication.
For now, I'm happy with that although indeed seems a bit slow...

For future references here is my config (although is staright forward and it can
be found on many web resources)

    <Location /svn/repos>
        # Enable Subversion
        DAV svn
        SVNPath /mnt/data/rep/svn

        # LDAP Authentication & Authorization is final; do not check
other databases
        AuthLDAPAuthoritative on

        # Do basic password authentication in the clear
        AuthType Basic

        # The name of the protected area or "realm"
        AuthName "domain authentication"

        # Active Directory requires an authenticating DN to access records
        # This is the DN used to bind to the directory service
        # This is an Active Directory user account
        AuthLDAPBindDN "CN=someuser,CN=Users,DC=your,DC=domain"

        # This is the password for the AuthLDAPBindDN user in Active Directory
        AuthLDAPBindPassword xxxx

        # The LDAP query URL
        # Format: scheme://host:port/basedn?attribute?scope?filter
        # The URL below will search for all objects recursively below
the basedn
        # and validate against the sAMAccountName attribute
        AuthLDAPURL
"ldap://pdc:389/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"

        # Require authentication for this Location
        Require valid-user
    </Location>

Thomas

On 10/21/07, Krist van Besien <krist.vanbesien@gmail.com> wrote:
> On 10/21/07, Joshua Slive <joshua@slive.ca> wrote:
> > On 10/20/07, Thomas Fazekas <thomas.fazekas@gmail.com> wrote:
> > > In coclusion, svn with NTLM authentication doesn't work...
> > > My problem is that I can't see any other solution how to bring together
> > > a linux based apache/svn with our NT4 based domain :(
> > >
> > > For the time being I'm just gonna go with win based NT server, it
> > > is dissapointing though that I didn't get any reply from the svn mailing list...
> >
> > If all you need is to share the user/password database, then the
> > standard solution is use ldap access to the NT domain info. I've never
> > done it myself, but I believe lots of people have success with this.
>
> I've set up an apache/svn server that authenticates against an AD
> server, but I didn't use the standard way with mod_auth_ldap.
>
> The problems with using mod_auth_ldap are:
> - AD normally does not allow anonymous binds, so you need a BindDN for
> your apache server. An other problem was our security policy, that
> requires passwords to be changed every month.
> - Subversion over http is not very efficient. A lot of seperate
> requests are generated for each subversion action. Basically
> subversion uses dozens of "PROPFIND" requests to figure out the
> properties of a file, and each of these requests gets authenticated.
> As LDAP binds aren't very fast our SVN server wasn't excrutciatingly
> slow when using ldap authentication.
> My solution was to use mod_perl (which I allready use for webserver
> configuration) and extend the authentication mechanism using perl
> modules.
>
> One of the interesting feature of perl authentication handlers is that
> you can stack them. This allows you to cache authentication requests,
> and this speeds up the server massively.
>
>
> To explain this, let me just show you haw it looks in my config file:
>
> AuthType Basic
> AuthName "SVNServer"
> PerlAuthenHandler Apache2::AuthenDBMCache Apache2::AuthenMSAD
>
> PerlSetVar MSADDomain ads.foo.com
> PerlSetVar MSADServer dc.ads.foo.com
>
> require valid-user
> require user joe mary tom
>
> For this to work you need to have an apache server configured for
> mod_perl, and the Apache2::AuthenDBMCache and Apache2::AuthenMSAD
> modules. You can find these on CPAN.
>
> The Apache2::AuthenMSAD uses a feature of MS Active Directory: You can
> bind with a DN of <user>@<domain>. With this you can set up AD
> authentication for your apache server without needing an BindDN for
> your apache server itself.
> The Apache2::AuthenDBMCache modules caches the authentication info, so
> that not every request requires a connection with the AD server. This
> has made my SVN server a lot faster.
>
> This works for me. More info about these modules can be found in CPAN.
>
> Krist
>
>
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message