Mercurial, Apache, Windows, mod_auth_sspi and hg push
I'm playing with Mercurial 1.6 under Apache 2.2.15 on a Windows box under a Windows domain, running as a central repo server to which select people will have commit permissions.
I'm trying to restrict access to Mercurial by restricting access to Apache's /cgi-bin/ to select users via sspi_auth_module.
If I browse to the repo page with sspi_auth_module enforcing restrictions on /cgi-bin/ I'm prompted for a username and password, which is accepted and everything works fine.
If I try to use the CLI "hg push" to commit from my local repo to the server, from the command-line, the command terminates very quickly with the message:
abort: authorization failed
If I remov开发者_开发知识库e /cgi-bin/ restrictions, pushing works.
The relevant section of httpd.conf: (names redacted)
<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
AuthName "XXXXXX"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOmitDomain On
Require user "xxxxxx"
</Directory>
The relevant section of my hgweb.config file (repositories stored in C:/Hg)
[collections]
C:/Hg = C:/Hg
[web]
allow_push = *
push_ssl = false
allow_archive = bz2 gz zip
I'd like to let the domain controller worry about authentication (to me, it's better than having everyone memorize extra passwords!) - is this a viable approach?
I found a solution. I suspect that part of the issue was that I did not have SSPIDomain specified (mistaking it for AuthName ... duh)
Anyway, the following in httpd.conf did the trick: (the ScriptAlias directive was there from the beginning, BTW)
ScriptAlias /hg "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin/hgweb.cgi"
<Location /hg>
AuthName "Mercurial Authentication"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain XXXXXX
SSPIOmitDomain On
SSPIOfferBasic On
SSPIBasicPreferred Off
Require user "xxxxxx"
</Location>
I removed myself as a required user, was prompted for username and password, and could not authenticate. I then added myself back and was able to authenticate OK.
Thanks for looking!
精彩评论