[svlug] rehearsal: auth_pam and apache2

[Ivan Sergio Borgonovo]

On Fri, 11 Aug 2006 15:10:22 +0200
Ivan Sergio Borgonovo <mail at webthatworks.it> wrote:

> I'd like to use pam authentication for my svn server.

OK I read a lot... but I still don't have a clear picture of what should I do to avoid duplicating users credentials in configuration files.

I read this
http://pam.sourceforge.net/mod_auth_pam/shadow.html
and with this configuration:

<Location /svn>
    DAV svn
    SVNPath /var/www/svn
    AuthType Basic
    AuthName "SVN"
    AuthPAM_Enabled on
    Require valid-user
    Require group $group
</Location>

and

Group shadow

in /etc/apache2.conf

it works.

But I'm not willing to let Apache read my shadow since I may commit some error in my application coding and I don't want that in spite of owning just Apache they will own my box.

I read this too:
http://pam.sourceforge.net/mod_auth_pam/
"
Related Modules
For authentication against /etc/shadow, I recommend
mod_authnz_external. For use with LDAP, several LDAP modules are
available, choose a recent one.
"
But it seems that these modules haven't been packaged for sarge.

I don't see any alternative other than using subversion custom server over ssh and renouncing to webdav.

The "good thing" about using mod_authnz_external seems to be adding an extra layer between Apache and my shadow.
Using Basic auth and just duplicating credentials into .htaccess is just a little bit better than letting Apache read my shadow (I can skip to put root into .htaccess).

I thought that having the same users for Apache and the system was a common problem, so a tested solution should be around (and sarge isn't old nor new). Is there a reason there is no tested solution around?