2006/02/09

Apache 2, svn authentication, and OS X Server

I'm using Subversion for my source management needs, and I use it with Apache, not svnserve, and the whole thing is on top of a test OS X Server, which incorporate a unified, pluggable directory / security architecture, OpenDirectory. And of course, I'd like to have my subversion repositories use the regular system users and authentication scheme.

This works nicely on the provided web server, first because web management is integrated in the GUI system administration console, but also because Apple developed a few OS X specific modules, to handle Zeroconf discovery, MacBinary support ... and OpenDirectory authentication. The only drawback here is that the default web server is apache 1, and even if Apple does ship an optional Apache 2, it is not supported in the GUI console (no big deal) and does not have apache2 versions of the apple-specific modules (more annoying).

So, how can we enable OpenDirectory authentication on apache 2 or apache 2.2 ? The first solution would be to port the mod_auth_apple authentication module to Apache 2. Which, like most of OS X BSD layer, is opensource and available in Darwin Server source code.

Another solution, maybe less elegant but totally functional is to use PAM authentication. Since 10.2, pam is supported in OS X and bridges authentication to OpenDirectory (and is actually used by some services in the OS, look in /etc/pam.d. Thus the only missing part of the equation is a way to authenticate Apache with PAM. Which is quite easy to find: mod_auth_pam provides pluggable authentication module for Apache 1.3 or 2.0. And works almost out of the box (you just need to fix a pam header from #include <security/pam_appl.h> to #include <pam/pam_appl.h>).

Apache 2.2 changed slightly the authentication and authorization modules, but another project, mod_auth implements several modules for the new architecture, including a mod_authn_pam which works just fine, with the same small header fix.

Porting the mod_auth_apple could be a good exercice though (side note: the ADC has an example of down-to-the-metal OpenDirectory authentication, replacing crypt use )


15:15  
Comments:
I've been trying to get this to work this morning and so far I've had a lot of trouble.

I *think* I got the module to compile properly and it loads and Apache seems happy. That was pretty hard for me. I had to put the .c file into the Apache2.2 tree and change the configure stuff to get it to compile it. Any other approach (like trying to do ./configure in the mod_authn_pam directory gave me an endless string of things to overcome.

So, at this point, I can get my browser to ask me for a password but I can't authenticate. I'm not sure whats wrong -- or who to ask for help.
# posted by pedz : 22:02
 
Mmh, what I did basically was to install apache 2.2. from MacPorts, and use my slightly patched version. Here is a tarball of the source directory with my changes. Also, check you have a file /etc/pam.d/httpd with something like:

# login: auth account password session
auth sufficient pam_securityserver.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
# posted by O : 15:44
 
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?