We run Subversion for source control at work, with Apache2, and we use mod_auth_sspi to allow developers to authenticate to Subversion with their Windows username and password. However, we’ve got more than one domain at work, and so we need SSPI to allow you to authenticate with your Windows username and password whichever domain you’re in. The relevant stanza of httpd.conf, to authenticate against multiple NT/2003 domains, looks like this:
<Location /svn>
DAV svn
SVNParentPath e:\svn
#
AuthName "Subversion repositories"
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
AuthAuthoritative Off # multiple authorities
#
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain domain_controller_for_first_domain
SSPIOfferBasic On
#
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain domain_controller_for_second_domain
SSPIOfferBasic On
#
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain domain_controller_for_third_domain
SSPIOfferBasic On
</Location>
Presumably this allows you to specify DOMAIN\Username, or Username@DOMAIN, as the username field, for multiple domains?
Posted by the_angry_angel on June 7th, 2006.
the_angry_angel: it does indeed.
Posted by sil on June 7th, 2006.
Ah, very cool. This maybe worth implementing over here :D
Posted by the_angry_angel on June 7th, 2006.
Excellent, Thanks for figuring that out.
While we’re sharing info, I also use this directive: “SSPIOmitDomain On” so that the “@domain” doesn’t show up in the svn logs for the author.
Now I only wish we could easily map usernames from the Active Directory user names to something more legible. Here at this client their usernames are in the format “nm######”. I wish we could have a directive that tells SVN to use the account’s real name, or some other identifier for logging purposes.
Posted by Kianoosh on August 7th, 2006.