svn access via apache with ntlm authentication

My setup :

Debian Etch i386

httpd-2.0.61 configured with the following command
"./configure --prefix=/opt/httpd-2.0.61 --with-mpm=worker --enable-so
--enable-dav=shared
--enable-unique-id=shared --enable-version=shared --enable-ssl=shared
--enable-info=shared
--enable-cgi=shared --enable-rewrite=shared --enable-cache=shared --
enable-disk-cache=shared --enable-deflate=shared"

subversion-1.4.5 configured with the following
"./configure --prefix=/opt/subversion-1.4.5 --with-apr=/opt/
httpd-2.0.61 --with-apr-util=/opt/httpd-2.0.61 --with-apxs=/opt/
httpd-2.0.61/bin/apxs"

mod_auth_ntlm_winbind AFAIK the latest version compiled with
"/opt/httpd-2.0.61/bin/apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c"

Now, AFAIT everything is working well... separately !
Apache serves documents,
svn works for anonymous access with the following config :


DAV svn
SVNPath /mnt/data/rep/svn


I can check out projects from the repository

Then I've tested the NTLM authentication with

Alias /ntlmtest/ "/mnt/data/docuwiki/"

AuthName "NTLM Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user


This works just fine, the browser prompts for the username and
password, and ntlm authenticates against our PDC

Now my problem is with the svn + NTLM combination
If I have in my httpd.conf

DAV svn
SVNPath /mnt/data/rep/svn
AuthName "NTLM Authentication"
AuthType NTLM
NTLMAuth on
NTLMBasicAuthoritative on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
require valid-user


and I do "svn co http://svnhost/svn/repos/test" ,
it seems to me that the apache server doesn't even bother calling the
ntlm_winbind module for authentication...
There are no logs or any trace of related messages and all I get is
svn: PROPFIND request failed on '/svn/repos/test'
svn: PROPFIND of '/svn/repos/test': authorization failed (http://
svnhost)
at the client side.

Any ideas ?

Thomas

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: svn access via apache with ntlm authentication

On 10/17/07, Thomas Fazekas wrote:

> and I do "svn co http://svnhost/svn/repos/test" ,
> it seems to me that the apache server doesn't even bother calling the
> ntlm_winbind module for authentication...
> There are no logs or any trace of related messages and all I get is
> svn: PROPFIND request failed on '/svn/repos/test'
> svn: PROPFIND of '/svn/repos/test': authorization failed (http://
> svnhost)
> at the client side.
>
> Any ideas ?

NTLM authentication must be supported by the client. The current
version of Neon (the http library used in the command line subversion
client) only supports basic authentication.

Maybe you need to add:
NTLMBasicAuth on
NTLMBasicRealm "SVN authentication"

So clients that don't support NTLM are also supported.
However, I don't know if this will work. I recently setup a apache+svn
server myself, where users are authenticated against an AD server, but
went a different route to achieve this.

Krist

--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: svn access via apache with ntlm authentication

On 10/18/07, Krist van Besien wrote:
> The current
> version of Neon (the http library used in the command line subversion
> client) only supports basic authentication.

That's not true. Neon supports digest and a couple others as well. I'm
not sure if they are supported via subversion, however.

Joshua.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: svn access via apache with ntlm authentication

On 10/18/07, Joshua Slive wrote:
> On 10/18/07, Krist van Besien wrote:
> > The current
> > version of Neon (the http library used in the command line subversion
> > client) only supports basic authentication.
>
> That's not true. Neon supports digest and a couple others as well. I'm
> not sure if they are supported via subversion, however.

According to the subversion site the svn command line client only
supports basic authentication. I didn't check the neon project itself.

Krist

--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: svn access via apache with ntlm authentication

In coclusion, svn with NTLM authentication doesn't work...
My problem is that I can't see any other solution how to bring together
a linux based apache/svn with our NT4 based domain :(

For the time being I'm just gonna go with win based NT server, it
is dissapointing though that I didn't get any reply from the svn mailing list...

Thomas

On 10/18/07, Krist van Besien wrote:
> On 10/18/07, Joshua Slive wrote:
> > On 10/18/07, Krist van Besien wrote:
> > > The current
> > > version of Neon (the http library used in the command line subversion
> > > client) only supports basic authentication.
> >
> > That's not true. Neon supports digest and a couple others as well. I'm
> > not sure if they are supported via subversion, however.
>
> According to the subversion site the svn command line client only
> supports basic authentication. I didn't check the neon project itself.
>
> Krist
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email discussions?
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: svn access via apache with ntlm authentication

On 10/20/07, Thomas Fazekas wrote:
> In coclusion, svn with NTLM authentication doesn't work...
> My problem is that I can't see any other solution how to bring together
> a linux based apache/svn with our NT4 based domain :(
>
> For the time being I'm just gonna go with win based NT server, it
> is dissapointing though that I didn't get any reply from the svn mailing list...

If all you need is to share the user/password database, then the
standard solution is use ldap access to the NT domain info. I've never
done it myself, but I believe lots of people have success with this.

If you really want to use the tricky single sign-in stuff, then you
are out of luck. But in general, NTLM doesn't work very well over HTTP
in any case, because it's basic assumptions conflict with the
stateless nature of the protocol.

Joshua.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: svn access via apache with ntlm authentication

On 10/21/07, Joshua Slive wrote:
> On 10/20/07, Thomas Fazekas wrote:
> > In coclusion, svn with NTLM authentication doesn't work...
> > My problem is that I can't see any other solution how to bring together
> > a linux based apache/svn with our NT4 based domain :(
> >
> > For the time being I'm just gonna go with win based NT server, it
> > is dissapointing though that I didn't get any reply from the svn mailing list...
>
> If all you need is to share the user/password database, then the
> standard solution is use ldap access to the NT domain info. I've never
> done it myself, but I believe lots of people have success with this.

I've set up an apache/svn server that authenticates against an AD
server, but I didn't use the standard way with mod_auth_ldap.

The problems with using mod_auth_ldap are:
- AD normally does not allow anonymous binds, so you need a BindDN for
your apache server. An other problem was our security policy, that
requires passwords to be changed every month.
- Subversion over http is not very efficient. A lot of seperate
requests are generated for each subversion action. Basically
subversion uses dozens of "PROPFIND" requests to figure out the
properties of a file, and each of these requests gets authenticated.
As LDAP binds aren't very fast our SVN server wasn't excrutciatingly
slow when using ldap authentication.
My solution was to use mod_perl (which I allready use for webserver
configuration) and extend the authentication mechanism using perl
modules.

One of the interesting feature of perl authentication handlers is that
you can stack them. This allows you to cache authentication requests,
and this speeds up the server massively.


To explain this, let me just show you haw it looks in my config file:

AuthType Basic
AuthName "SVNServer"
PerlAuthenHandler Apache2::AuthenDBMCache Apache2::AuthenMSAD

PerlSetVar MSADDomain ads.foo.com
PerlSetVar MSADServer dc.ads.foo.com

require valid-user
require user joe mary tom

For this to work you need to have an apache server configured for
mod_perl, and the Apache2::AuthenDBMCache and Apache2::AuthenMSAD
modules. You can find these on CPAN.

The Apache2::AuthenMSAD uses a feature of MS Active Directory: You can
bind with a DN of @. With this you can set up AD
authentication for your apache server without needing an BindDN for
your apache server itself.
The Apache2::AuthenDBMCache modules caches the authentication info, so
that not every request requires a connection with the AD server. This
has made my SVN server a lot faster.

This works for me. More info about these modules can be found in CPAN.

Krist



--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: svn access via apache with ntlm authentication

Thanks for all the hints, finally I got it working with LDAP authentication.
For now, I'm happy with that although indeed seems a bit slow...

For future references here is my config (although is staright forward and it can
be found on many web resources)


# Enable Subversion
DAV svn
SVNPath /mnt/data/rep/svn

# LDAP Authentication & Authorization is final; do not check
other databases
AuthLDAPAuthoritative on

# Do basic password authentication in the clear
AuthType Basic

# The name of the protected area or "realm"
AuthName "domain authentication"

# Active Directory requires an authenticating DN to access records
# This is the DN used to bind to the directory service
# This is an Active Directory user account
AuthLDAPBindDN "CN=someuser,CN=Users,DC=your,DC=domain"

# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword xxxx

# The LDAP query URL
# Format: scheme://host:port/basedn?attribute?scope?filter
# The URL below will search for all objects recursively below
the basedn
# and validate against the sAMAccountName attribute
AuthLDAPURL
"ldap://pdc:389/DC=your,DC=domain?sAMAccountName?sub?(object Class=*)"

# Require authentication for this Location
Require valid-user


Thomas

On 10/21/07, Krist van Besien wrote:
> On 10/21/07, Joshua Slive wrote:
> > On 10/20/07, Thomas Fazekas wrote:
> > > In coclusion, svn with NTLM authentication doesn't work...
> > > My problem is that I can't see any other solution how to bring together
> > > a linux based apache/svn with our NT4 based domain :(
> > >
> > > For the time being I'm just gonna go with win based NT server, it
> > > is dissapointing though that I didn't get any reply from the svn mailing list...
> >
> > If all you need is to share the user/password database, then the
> > standard solution is use ldap access to the NT domain info. I've never
> > done it myself, but I believe lots of people have success with this.
>
> I've set up an apache/svn server that authenticates against an AD
> server, but I didn't use the standard way with mod_auth_ldap.
>
> The problems with using mod_auth_ldap are:
> - AD normally does not allow anonymous binds, so you need a BindDN for
> your apache server. An other problem was our security policy, that
> requires passwords to be changed every month.
> - Subversion over http is not very efficient. A lot of seperate
> requests are generated for each subversion action. Basically
> subversion uses dozens of "PROPFIND" requests to figure out the
> properties of a file, and each of these requests gets authenticated.
> As LDAP binds aren't very fast our SVN server wasn't excrutciatingly
> slow when using ldap authentication.
> My solution was to use mod_perl (which I allready use for webserver
> configuration) and extend the authentication mechanism using perl
> modules.
>
> One of the interesting feature of perl authentication handlers is that
> you can stack them. This allows you to cache authentication requests,
> and this speeds up the server massively.
>
>
> To explain this, let me just show you haw it looks in my config file:
>
> AuthType Basic
> AuthName "SVNServer"
> PerlAuthenHandler Apache2::AuthenDBMCache Apache2::AuthenMSAD
>
> PerlSetVar MSADDomain ads.foo.com
> PerlSetVar MSADServer dc.ads.foo.com
>
> require valid-user
> require user joe mary tom
>
> For this to work you need to have an apache server configured for
> mod_perl, and the Apache2::AuthenDBMCache and Apache2::AuthenMSAD
> modules. You can find these on CPAN.
>
> The Apache2::AuthenMSAD uses a feature of MS Active Directory: You can
> bind with a DN of @. With this you can set up AD
> authentication for your apache server without needing an BindDN for
> your apache server itself.
> The Apache2::AuthenDBMCache modules caches the authentication info, so
> that not every request requires a connection with the AD server. This
> has made my SVN server a lot faster.
>
> This works for me. More info about these modules can be found in CPAN.
>
> Krist
>
>
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email discussions?
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org