httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Krist van Besien" <krist.vanbes...@gmail.com>
Subject Re: [users@httpd] svn access via apache with ntlm authentication
Date Sun, 21 Oct 2007 13:58:05 GMT
On 10/21/07, Joshua Slive <joshua@slive.ca> wrote:
> On 10/20/07, Thomas Fazekas <thomas.fazekas@gmail.com> wrote:
> > In coclusion, svn with NTLM authentication doesn't work...
> > My problem is that I can't see any other solution how to bring together
> > a linux based apache/svn with our NT4 based domain :(
> >
> > For the time being I'm just gonna go with win based NT server, it
> > is dissapointing though that I didn't get any reply from the svn mailing list...
>
> If all you need is to share the user/password database, then the
> standard solution is use ldap access to the NT domain info. I've never
> done it myself, but I believe lots of people have success with this.

I've set up an apache/svn server that authenticates against an AD
server, but I didn't use the standard way with mod_auth_ldap.

The problems with using mod_auth_ldap are:
- AD normally does not allow anonymous binds, so you need a BindDN for
your apache server. An other problem was our security policy, that
requires passwords to be changed every month.
- Subversion over http is not very efficient. A lot of seperate
requests are generated for each subversion action. Basically
subversion uses dozens of "PROPFIND" requests to figure out the
properties of a file, and each of these requests gets authenticated.
As LDAP binds aren't very fast our SVN server wasn't excrutciatingly
slow when using ldap authentication.
My solution was to use mod_perl (which I allready use for webserver
configuration) and extend the authentication mechanism using perl
modules.

One of the interesting feature of perl authentication handlers is that
you can stack them. This allows you to cache authentication requests,
and this speeds up the server massively.


To explain this, let me just show you haw it looks in my config file:

AuthType Basic
AuthName "SVNServer"
PerlAuthenHandler Apache2::AuthenDBMCache Apache2::AuthenMSAD

PerlSetVar MSADDomain ads.foo.com
PerlSetVar MSADServer dc.ads.foo.com

require valid-user
require user joe mary tom

For this to work you need to have an apache server configured for
mod_perl, and the Apache2::AuthenDBMCache and Apache2::AuthenMSAD
modules. You can find these on CPAN.

The Apache2::AuthenMSAD uses a feature of MS Active Directory: You can
bind with a DN of <user>@<domain>. With this you can set up AD
authentication for your apache server without needing an BindDN for
your apache server itself.
The Apache2::AuthenDBMCache modules caches the authentication info, so
that not every request requires a connection with the AD server. This
has made my SVN server a lot faster.

This works for me. More info about these modules can be found in CPAN.

Krist



-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message