On 10/21/07, Joshua Slive <joshua@xxxxxxxx> wrote: > On 10/20/07, Thomas Fazekas <thomas.fazekas@xxxxxxxxx> wrote: > > In coclusion, svn with NTLM authentication doesn't work... > > My problem is that I can't see any other solution how to bring together > > a linux based apache/svn with our NT4 based domain :( > > > > For the time being I'm just gonna go with win based NT server, it > > is dissapointing though that I didn't get any reply from the svn mailing list... > > If all you need is to share the user/password database, then the > standard solution is use ldap access to the NT domain info. I've never > done it myself, but I believe lots of people have success with this. I've set up an apache/svn server that authenticates against an AD server, but I didn't use the standard way with mod_auth_ldap. The problems with using mod_auth_ldap are: - AD normally does not allow anonymous binds, so you need a BindDN for your apache server. An other problem was our security policy, that requires passwords to be changed every month. - Subversion over http is not very efficient. A lot of seperate requests are generated for each subversion action. Basically subversion uses dozens of "PROPFIND" requests to figure out the properties of a file, and each of these requests gets authenticated. As LDAP binds aren't very fast our SVN server wasn't excrutciatingly slow when using ldap authentication. My solution was to use mod_perl (which I allready use for webserver configuration) and extend the authentication mechanism using perl modules. One of the interesting feature of perl authentication handlers is that you can stack them. This allows you to cache authentication requests, and this speeds up the server massively. To explain this, let me just show you haw it looks in my config file: AuthType Basic AuthName "SVNServer" PerlAuthenHandler Apache2::AuthenDBMCache Apache2::AuthenMSAD PerlSetVar MSADDomain ads.foo.com PerlSetVar MSADServer dc.ads.foo.com require valid-user require user joe mary tom For this to work you need to have an apache server configured for mod_perl, and the Apache2::AuthenDBMCache and Apache2::AuthenMSAD modules. You can find these on CPAN. The Apache2::AuthenMSAD uses a feature of MS Active Directory: You can bind with a DN of <user>@<domain>. With this you can set up AD authentication for your apache server without needing an BindDN for your apache server itself. The Apache2::AuthenDBMCache modules caches the authentication info, so that not every request requires a connection with the AD server. This has made my SVN server a lot faster. This works for me. More info about these modules can be found in CPAN. Krist -- krist.vanbesien@xxxxxxxxx krist@xxxxxxxxxxxxx Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|