Making SVN on apache server windows integrated authentication for free

Question

Hi i work in a place that runs programming courses, in alot of the courses the students are required to do a project in order to pass the course, and sometimes the projects are even done in groups, so you can understan the need for version control, we use svn and we run it on an apache server in a windows server 2003 operting system.

in order for the students not to be able to copy each others code we want to make the authntication with the svn server windows integrated, meaning that the student won't be prompt for user name and password when he is trying to access the svn, but will automatically connect to the svn with the current user name and password.

our fear is that students will share thier passwords with one another and easily get each others version of code from the svn.

I have tried searching for this on the internet, i found a version of visual svn server that supports Integrated windows authentication but this supports costs money,

I have tried using windows authntication modules for the apache server (mod_auth_sspi) but that didn't stop me from getting prompt for user name and password.

has anyone succeded in making his svn server windows integrated? and how? does anyone know of any other free version control systems that can be windows integrated? or maybe have any sort of an idea on my situation.

thanks.

Answer 1

I managed to achive this by making my svn authentication SSL, and setting the svn attribute "OfferBasic" inside the repository location tag to off.

Answer 2

I'm using Collabnet Subversion Edge here, and it appears to do LDAP. I'm not a security guy I don't know if that is the same as what you need.

Answer 3

In order for the students not to be able to copy each others code we want to make the authentication with the svn server windows integrated, meaning that the student won't be prompt for user name and password when he is trying to access the svn, but will automatically connect to the svn with the current user name and password.

How would this scheme prevent student A from passing the code over to student B?

Student A could simply download the code, zip it up, and pass it over to student B. Or, student A could use a client like svn-git, download the whole repository and pass it to student B. And, if student A gave student B the password to their Windows account, what's to prevent student B from logging in as student A?

Back in Windows NT days, you could use NTLM. NTLM assumed that since you were logged into a Windows machine that was certified as a valid machine on the network, you already had authenticated and didn't need to reauthenticate. Thus, no need to ask for an account and password.

But NTLM required the server to be running IIS and the client running Windows NT and Internet Explorer 5. I believe it is still possible to use NTLM, but Microsoft no longer recommends it because it was so full of security holes.

Even if you could use NTLM, there's no Subversion server that works over IIS and there's no Subversion client that allows checkout via IE.

All you're doing is making it more difficult for students to actually do their work.