Hi!
I tried to setup apache-2.4 + subversion-1.9.0 + mod_authn_ntlm on Windows to
implement a subversion server with single sign-on, and finally found a working
configuration (see below). However, the configuration contains the deprecated
"Satisfy" directive, I therefore have some questions:
*) The subversion apache module in version 1.9.0 only works with the "Satisfy
Any" directive as given below. When removing it, I always get an authentication
error when trying to access the repository. However, in version 1.8.13 the
module works fine without the "Satisfy Any" directive and otherwise identical
configuration. Is this a bug in 1.8.13 (being too permissive), a bug in 1.9.0
(being too restrictive), or did anything else change between 1.8.13 and 1.9.0
justifying the different behaviour?
*) In case it is indeed desired behaviour to disallow NTLM authentication
without "Satisfy Any", how can the deprecated "Satisfy" directive be rewritten
using corresponding apache-2.4 directives (such as "Require")?
*) Does anybody know whether this issue is fixed in version 1.9.1? I found
binary distributions for 1.8.13 and 1.9.0, but not for 1.9.1.
Thanks & kind regards,
Markus Grabner
P.S.: This is the configuration entry for the subversion module:
<Location /svn>
DAV svn
SVNListParentPath On
SVNParentPath "D:/path/to/repositories"
AuthName "Subversion repositories"
AuthzSVNAccessFile "D:/path/to/repositories/svn-access-file"
AuthType SSPI
NTLMAuth On
NTLMAuthoritative On
NTLMOfferBasic On
NTLMBasicPreferred Off
NTLMOmitDomain On
NTLMUsernameCase lower
Satisfy Any
Require valid-user
</Location>
