Re: [modauthkerb] Apache multiauth with mod_auth_kerb
Brought to you by:
kouril
Menu
▾
▴
Re: [modauthkerb] Apache multiauth with mod_auth_kerb
|
From: Bernd M. <be...@ne...> - 2013-09-02 14:27:18
|
Hey, On 02.09.2013 14:45, Martin Yves wrote: > On Mon, 2013-09-02 at 14:21 +0200, Bernd May wrote: > As a result, I think you cannot implement a "OR" behavior. SSL > authentication will be required in any case, as far as you use the same > listening port for HTTPS. I tested around with various combinations of SSLVerifyClient (require|optional) and require (all allow|valid_user) and activated mod_auth_kerb with AuthType Kerberos and got the following responses. SSLVerifyClient Optional AuthType Kerberos KrbMethodK5Passwd off KrbMethodNegotiate on require valid_user ... Using an old svn 1.6.9 client I can access the repository both with and without a client certificate as long as I have a valid kerberos ticket. Setting _SSLVerifyClient require_ requires both ticket and cert to get access while removing the 'require valid_user' removes mod_auth_kerb completely from the picture, i.e. I do not even get a request for my client kerberos ticket. Using an svn 1.6.17 client resulted in weird ssl parsing errors (I suspect libneon, gnutls and some other stuff), using svn 1.7.13 worked with both kerberos ticket and ssl cert and with kerberos ticket only Using svn 1.8.1 client did not work with kerberos at all (svn: E120191: Error running context: The requested authentication type(s) are not supported) but worked fine just with SSL client certs, though I had to remove the 'require valid_user' directive TL;DR SSL_Client_Cert/Kerberos Ticket works with svn 1.6.9 and svn 1.7.13 -/Kerberos Ticket works with svn 1.6.9, 1.6.16 and 1.7.13 SSL_Client_Cert/- works with all svn versions *But* only when 'require valid_user' is commented out and then mod_auth_kerb is not called at all even though the rest is configured So I guess I will bury my idea of kerberos authentication for SVN until lib_serf has developed far enough to actually support SPNEGO or I have convinced everyone here to move to git and use gitolite :-/ thanks for the help though -- Technische Universität Berlin - FGINET Bernd May System Administration Sekr. TEL 16 Ernst-Reuter-Platz 7 10587 BERLIN GERMANY Mobile: 0160/90257737 E-Mail: be...@in... WWW: inet.tu-berlin.de |
