Your problem is with Crowd, not authz. Authentication is failing: "Could not authenticate to server: rejected Basic challenge (https://dev.host.net)"
Check your Crowd configuration/documentation. I'd suggest taking SVN out of the equation and verifying that your integration with Crowd is working first. Cheers, Rob On Sat, Jan 9, 2010 at 1:19 AM, Brian Topping <topp...@codehaus.org> wrote: > Hello all, > > I've been wrestling with getting authz setup in a way that must be somewhat > unconventional all week and was hoping someone here on the list might be > able to offer some insight. The environment is Apache httpd > 2.2.3, mod_dav_svn 1.6.6, and Subversion 1.6.6. My configs follow. > > So far, most of the docs that I've seen on authz start by granting read > access to everyone at the root of the tree, then subtracting authorizations > to specific sensitive directories. My concern with this is that this allows > people to lazily create directories without considering that they might be > granting access to any valid user. > > Instead, I would like to configure path-based access to deny access to all > non-root directories, then rely on specific grants to individual directories > based on group. > > I have groups working fine, but as soon as I lock down the root directory, > my svn client gets the following problem: > > Username: svn: PROPFIND of '/repos/project/!svn/vcc/default': authorization > failed: Could not authenticate to server: rejected Basic challenge ( > https://dev.host.net) > > > I understand about the metadata located at !svn. So I added: > > [/project/!svn] > * = r > > > But this doesn't seem to do anything. I still get the first error. > > Is there a way to do what I am trying to do? > > I have exhaustively tested that the AuthHandler is doing asking the right > questions of the authentication broker and is able to recover the correct > user and group mappings. > > Note that I am using Atlassian's Crowd-based auth. This is a fork of > standard authz to patch Crowd users and groups in, but it would be easy for > me to convert to direct LDAP if necessary. > > /etc/httpd/conf.d/subversion.conf: > > <Location /repos> > > LoadModule perl_module modules/mod_perl.so > LoadModule dav_svn_module modules/mod_dav_svn.so > > # Uncomment this to enable the repository > DAV svn > > # Set this to the path to your repository > SVNParentPath /var/www/svn/ > > SSLRequireSSL > > AuthName crowd > AuthType Basic > > PerlAuthenHandler Apache::CrowdAuth > PerlSetVar CrowdAppName subversion > PerlSetVar CrowdAppPassword xxx > PerlSetVar CrowdSOAPURL > https://dev.host.net/crowd/services/SecurityServer > > PerlAuthzHandler Apache::CrowdAuthz > PerlSetVar CrowdAuthzSVNAccessFile /var/www/svn/access > > require valid-user > > > </Location> > > > /var/www/svn/access > > [/project/!svn] > * = r > > [/project/trunk/project-web] > @project-web-developer = rw > > > Cheers, Brian >
