Menu

#3 Cannot authent to SSPI and password file in Apache 2.2

open
nobody
None
5
2008-12-08
2008-12-08
No

According to:
http://tortoisesvn.net/docs/nightly/TortoiseSVN_en/help-onepage.html#tsvn-serversetup-apache-6
it should be possible to set up Apache to authenticate to both SSPI and a password file.

I'm trying to get this working on a Windows Apache 2.2 server, but without success. SSPI works on its own, and the password file works on its own. But if I try to use both together, as described, then authenticating against the SSPI works but authenticating against the password file fails.

I'm wondering: does this solution simply not work on Apache 2.2.x due to changes to the authentication/authorization setup in Apache 2.2.x?

I'm interested to know if anyone else has tried this on Apache 2.2.x, and if you ended in success or failure.

Discussion

  • Paul Dotsenko

    Paul Dotsenko - 2010-03-18

    I have the exact same issue you described - trying to set up both SSPI and Basic/password file authentication for Subversion on Apache 2.2.14. This setup currently works for me on Apache 2.0.58. Here is the Location configuration snippet I've tried (works on Apache 2.0.58 but not on 2.2.14):

    <Location /svn>
    DAV svn
    SVNListParentPath on
    SVNParentPath C:/svn_repository
    SSLRequireSSL

    AuthType Basic
    #AuthAuthoritative Off
    AuthName "Subversion repositories"
    AuthUserFile C:/svn_repository/password-file

    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative Off
    SSPIOfferSSPI Off
    SSPIOfferBasic On
    SSPIBasicPreferred On
    #SSPIDomain mydomain

    Require valid-user
    </Location>

    Like in your case, SSPI and password-file authentication work separately but not together. Hope this helps.

     
  • Paul Dotsenko

    Paul Dotsenko - 2010-03-19

    I found a workaround for Apache 2.2 that worked for me, courtesy of http://krangsquared.blogspot.com/2008/02/configuring-subversion-authentication.html. The idea is defining two "Location" elements in Apache 2.2 config - one for Windows AD authentication (for most internal svn users) and one Basic password-file authentication (for the few external or non-Windows domain users). This essentially creates two virtual URLs to the same svn repository allowing two distinct authentication methods - not perfect, but better than being stuck on Apache 2.0. Here is an example:
    #This Location is for Windows AD authentication only
    <Location /svn>
    DAV svn
    SVNListParentPath on
    SVNParentPath C:/svn_repository
    SSLRequireSSL

    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain somedomain

    Require valid-user
    </Location>
    #This location is for Basic password-file based authentication for external users
    <Location /svnext>
    DAV svn
    SVNListParentPath on
    SVNParentPath C:/svn_repository
    SSLRequireSSL

    AuthType Basic
    #AuthAuthoritative Off
    AuthName "Subversion repositories"
    AuthUserFile C:/svn_repository/password-file

    Require valid-user
    </Location>
    HTH

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.