Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Help with Apache httpd 2.4, with Subversion and LDAP auth |
|
Author |
|
fitzgerac
Joined: 24 Jun 2013 Posts: 12
|
Posted: Wed 04 Mar '15 22:40 Post subject: Help with Apache httpd 2.4, with Subversion and LDAP auth |
|
|
Hi, I am by no means fluent in Apache admin, but I have been tasked with migrating our old subversion server (apache 2.2) to a new box.
The old server used WinXP, Apache 2.2, Subversion 1.6.5, and the mod_auth_sspi.so module to provide LDAP authentication.
For the new box, I started with Win2K8R2, then installed the Bitnami Subversion stack (Apache 2.4, SVN 1.8 ). This worked great for getting SVN up and running, but I just can't seem to get LDAP authentication for SVN client access working.
The old server used this config to enable SSPI:
Code: |
LoadModule sspi_auth_module modules/mod_auth_sspi.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule dav_module modules/mod_dav.so
<Location /svn>
DAV svn
SVNParentPath D:\svnrepos
# authentication
AuthName "WCB Subversion Authentication"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain MYDOMAIN
SSPIOmitDomain on
SSPIUsernameCase lower
SSPIOfferBasic On
# If enabled stops correct userid in Author keyworkd and log history
Require valid-user
AuthzSVNAccessFile D:\Software\httpd-apache2.2.14\conf\svn-users.conf
</Location>
|
We were able to use the referenced svn-users.conf file to control access to different parts of the various svn repos.
However, I have since discovered that the mod_auth_sspi.so module is not compatible with Apache 2.4, but I found a new module mod_authnz_sspi.so that is supposed to work with 2.4. I am using the following config for the new SSPI module:
Code: |
<Location /svn>
DAV svn
SVNParentPath "D:\svnrepos"
SVNListParentPath On # <--- Add this line to enable listing of all repos
</Location>
<Directory D:/svnrepos>
Options None
AllowOverride All
Order allow,deny
Allow from all
# authentication
<IfModule authnz_sspi_module>
AuthName "WCB Subversion Authentication"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain MYDOMAIN
SSPIOmitDomain on
SSPIUsernameCase lower
SSPIOfferBasic On
SSPIBasicPreferred On
# If enabled stops correct userid in Author keyworkd and log history
#Require valid-user
AuthzSVNAccessFile D:\subversion-1.8.10-0\apache2\conf\svn-users.conf
<RequireAll>
<RequireAny>
Require valid-sspi-user
#Require valid-user
</RequireAny>
<RequireNone>
Require user "ANONYMOUS LOGON"
</RequireNone>
</RequireAll>
</IfModule>
</Directory>
|
But the LDAP authentication is never prompted for, and any user seems to be able to traverse the entire repository.
Any help or advice out there? Thanks! |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
|
Back to top |
|
fitzgerac
Joined: 24 Jun 2013 Posts: 12
|
Posted: Mon 16 Mar '15 17:31 Post subject: |
|
|
Thank you. Yes I was able to get AD authentication working with Subversion and the default modules |
|
Back to top |
|
cdarun2005
Joined: 16 Nov 2015 Posts: 3
|
Posted: Mon 16 Nov '15 8:52 Post subject: Help with Apache httpd 2.4, with Subversion and LDAP auth |
|
|
Hi,
I am also facing the same issue. After adding the below configuration in httpd.conf file (Apache 2.4.x server). Everyone able to access the SVN repository. Please let us know what settings to be needed to restrict the users for accessing the SVN Repository.
<Location /svn>
DAV svn
SVNParentPath "D:\svnrepos"
SVNListParentPath On # <--- Add this line to enable listing of all repos
</Location>
<Directory D:/svnrepos>
Options None
AllowOverride All
Order allow,deny
Allow from all
# authentication
<IfModule authnz_sspi_module>
AuthName "WCB Subversion Authentication"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain MYDOMAIN
SSPIOmitDomain on
SSPIUsernameCase lower
SSPIOfferBasic On
SSPIBasicPreferred On
# If enabled stops correct userid in Author keyworkd and log history
#Require valid-user
AuthzSVNAccessFile D:\subversion-1.8.10-0\apache2\conf\svn-users.conf
<RequireAll>
<RequireAny>
Require valid-sspi-user
#Require valid-user
</RequireAny>
<RequireNone>
Require user "ANONYMOUS LOGON"
</RequireNone>
</RequireAll>
</IfModule>
</Directory>
thanks
Arun. |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
Posted: Mon 16 Nov '15 18:49 Post subject: |
|
|
As said above. SSPi doesn't work with 2.4.x
You need mod_authn_ntlm |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Mon 16 Nov '15 21:30 Post subject: |
|
|
mod_authnz_sspi is for 2.4.
I think the problem is the
Order allow,deny
Allow from all
You should not use both 2.2 and 2.4 style together and even then there's an assumed Require any.
I would imagine if the module was not loaded you would not want it to allow all anyway.
Try getting rid of the stuff in red above (right under the <Directory>), restart Apache and test. |
|
Back to top |
|
cdarun2005
Joined: 16 Nov 2015 Posts: 3
|
Posted: Wed 25 Nov '15 11:47 Post subject: |
|
|
mod note: merged several question / replys
Hi,
Still i am facing the same issue. After removing the below entry. I am not able to restrict the SVN repository access.
Order allow,deny
Allow from all
Thanks
Arun.
---
fitzgerac wrote: | Thank you. Yes I was able to get AD authentication working with Subversion and the default modules |
Can you please share me the modules for subversion with AD.
---
Hi,
Can you share me the code for ntlm.
Arun. |
|
Back to top |
|
cdarun2005
Joined: 16 Nov 2015 Posts: 3
|
Posted: Mon 30 Nov '15 9:21 Post subject: |
|
|
Any updates |
|
Back to top |
|
|
|
|
|
|