logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Help with Apache httpd 2.4, with Subversion and LDAP auth

 
Post new topic   Reply to topic    Apache Forum Index -> Other Software



View previous topic :: View next topic  
Author Message
fitzgerac



Joined: 24 Jun 2013
Posts: 12

PostPosted: Wed 04 Mar '15 22:40    Post subject: Help with Apache httpd 2.4, with Subversion and LDAP auth Reply with quote

Hi, I am by no means fluent in Apache admin, but I have been tasked with migrating our old subversion server (apache 2.2) to a new box.

The old server used WinXP, Apache 2.2, Subversion 1.6.5, and the mod_auth_sspi.so module to provide LDAP authentication.

For the new box, I started with Win2K8R2, then installed the Bitnami Subversion stack (Apache 2.4, SVN 1.8 ). This worked great for getting SVN up and running, but I just can't seem to get LDAP authentication for SVN client access working.

The old server used this config to enable SSPI:
Code:

LoadModule sspi_auth_module   modules/mod_auth_sspi.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule dav_module modules/mod_dav.so

<Location /svn>
   DAV svn
   SVNParentPath D:\svnrepos
   
   # authentication
   AuthName "WCB Subversion Authentication"
   AuthType SSPI
   SSPIAuth On
   SSPIAuthoritative On
   SSPIDomain MYDOMAIN
   SSPIOmitDomain on
   SSPIUsernameCase   lower
   SSPIOfferBasic On
   # If enabled stops correct userid in Author keyworkd and log history
   Require valid-user
   AuthzSVNAccessFile D:\Software\httpd-apache2.2.14\conf\svn-users.conf       
</Location>


We were able to use the referenced svn-users.conf file to control access to different parts of the various svn repos.

However, I have since discovered that the mod_auth_sspi.so module is not compatible with Apache 2.4, but I found a new module mod_authnz_sspi.so that is supposed to work with 2.4. I am using the following config for the new SSPI module:
Code:

<Location /svn>
   DAV svn
   SVNParentPath "D:\svnrepos"
   SVNListParentPath On    #  <--- Add this line to enable listing of all repos
</Location>   

<Directory D:/svnrepos>
      Options None
   AllowOverride All
   Order allow,deny
   Allow from all
   # authentication
   <IfModule authnz_sspi_module>   
      AuthName "WCB Subversion Authentication"
         AuthType SSPI
         SSPIAuth On
         SSPIAuthoritative On
         SSPIDomain MYDOMAIN
         SSPIOmitDomain on
         SSPIUsernameCase   lower
         SSPIOfferBasic On
      SSPIBasicPreferred On
         # If enabled stops correct userid in Author keyworkd and log history
         #Require valid-user
         AuthzSVNAccessFile D:\subversion-1.8.10-0\apache2\conf\svn-users.conf
      <RequireAll>
              <RequireAny>
                   Require valid-sspi-user
                  #Require valid-user
              </RequireAny>
              <RequireNone>
                Require user "ANONYMOUS LOGON"
              </RequireNone>
            </RequireAll>
   </IfModule>
</Directory>


But the LDAP authentication is never prompted for, and any user seems to be able to traverse the entire repository.

Any help or advice out there? Thanks!
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Mon 16 Mar '15 12:19    Post subject: Reply with quote

For Apache 2.4 you need to use the mod_authn_ntlm[1] instead of sspi



[1] https://github.com/YvesR/mod_authn_ntlm
Back to top
fitzgerac



Joined: 24 Jun 2013
Posts: 12

PostPosted: Mon 16 Mar '15 17:31    Post subject: Reply with quote

Thank you. Yes I was able to get AD authentication working with Subversion and the default modules
Back to top
cdarun2005



Joined: 16 Nov 2015
Posts: 3

PostPosted: Mon 16 Nov '15 8:52    Post subject: Help with Apache httpd 2.4, with Subversion and LDAP auth Reply with quote

Hi,

I am also facing the same issue. After adding the below configuration in httpd.conf file (Apache 2.4.x server). Everyone able to access the SVN repository. Please let us know what settings to be needed to restrict the users for accessing the SVN Repository.


<Location /svn>
DAV svn
SVNParentPath "D:\svnrepos"
SVNListParentPath On # <--- Add this line to enable listing of all repos
</Location>

<Directory D:/svnrepos>
Options None
AllowOverride All
Order allow,deny
Allow from all
# authentication
<IfModule authnz_sspi_module>
AuthName "WCB Subversion Authentication"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain MYDOMAIN
SSPIOmitDomain on
SSPIUsernameCase lower
SSPIOfferBasic On
SSPIBasicPreferred On
# If enabled stops correct userid in Author keyworkd and log history
#Require valid-user
AuthzSVNAccessFile D:\subversion-1.8.10-0\apache2\conf\svn-users.conf
<RequireAll>
<RequireAny>
Require valid-sspi-user
#Require valid-user
</RequireAny>
<RequireNone>
Require user "ANONYMOUS LOGON"
</RequireNone>
</RequireAll>
</IfModule>
</Directory>


thanks
Arun.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Mon 16 Nov '15 18:49    Post subject: Reply with quote

As said above. SSPi doesn't work with 2.4.x

You need mod_authn_ntlm
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Mon 16 Nov '15 21:30    Post subject: Reply with quote

mod_authnz_sspi is for 2.4.

I think the problem is the
Order allow,deny
Allow from all


You should not use both 2.2 and 2.4 style together and even then there's an assumed Require any.

I would imagine if the module was not loaded you would not want it to allow all anyway.

Try getting rid of the stuff in red above (right under the <Directory>), restart Apache and test.
Back to top
cdarun2005



Joined: 16 Nov 2015
Posts: 3

PostPosted: Wed 25 Nov '15 11:47    Post subject: Reply with quote

mod note: merged several question / replys

Hi,

Still i am facing the same issue. After removing the below entry. I am not able to restrict the SVN repository access.


Order allow,deny
Allow from all


Thanks
Arun.

---

fitzgerac wrote:
Thank you. Yes I was able to get AD authentication working with Subversion and the default modules


Can you please share me the modules for subversion with AD.

---

Hi,

Can you share me the code for ntlm.


Arun.
Back to top
cdarun2005



Joined: 16 Nov 2015
Posts: 3

PostPosted: Mon 30 Nov '15 9:21    Post subject: Reply with quote

Any updates
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Other Software
Page 1 of 1