> -----Original Message----- > From: Itamar O [mailto:itamar...@gmail.com] > Sent: 23 July 2010 09:26 > To: users > Subject: Subversion authentication with SSPI > > Hi list, > > I am currently successfully using mod_sspi to authenticate > users against our domain controller (everything is windows here). > After authentication, Apache passes the sAMAccountName to > mod_dav_svn as the user name, > and this is the name that I use for authorization and the > name that appears in the logs. > > Our IT department is planning to change the sAMAccountName > for all users according to a new policy- > instead of a short name (like ItamarO) it will be the > employer serial number. > The old short name will still be accessible via another AD > field (mailNickname). > > My question is whether there's a way to tell Subversion to > query the AD server and use the name from mailNickname, > instead of using whatever mod_sspi passes on. > Alternatively, configuring mod_sspi to send mailNickname > instead of sAMAccountName should also do the trick, > so either solution is acceptable. > > (env info: Subversion 1.6.12, Apache 2.2.15, mod_sspi 1.0.4) > > Any ideas? > Thanks, > Itamar. > I think your options currently are: 1/ rebuild sspi to do what you want (it needs a new maintainer anyway!) 2/ switch to the full-blown LDAP plugin.
I have shied away from (2) because (1) works ok and I've not managed to work out what all the bits should be to even authenticate to our AD server *sigh* If anyone knows of a good primer to getting in to all this DC= stuff and how to work out what it should be when your local admins don't know I would love to read it. ~ mark c
