I am able to access SVN with a blank Password. Where and how do I stop this?

Hello,    Having seen many posts on this forum, I finally became a member to get my issue resolved..    We have a apache subversion server and tortoise svn client installed. Whenever I try to perform any actions on svn, it asks for UN and PWD, surprisingly its accepting blank passwords. How do i prevent this??    This is a very critical issue and many users are affected by this. I am not sure where we configure or do settings on server side.. Ldap is also integrated with this. and in httpd.conf file, I see everything is proper..    It should accept correct username and correct password.. and not blank..    Any help for this issue is much appreciated!!    Eagerly awaiting your response..    -- Shruthi

Last updated 9 years ago

Hi Shruthi,  You need to enable authentication/authorization on the server side. The way you do it is dependent on how you run and access your SVN server (svnserve, ssh tunnel, http/https - WebDAV).  Please look at the SVN book for more information:  http://svnbook.red-bean.com/en/1.7/svn-book.html#svn.serverconfig.svnserve.auth  I hope this helps.

Hi Peter,    Thanks a lot for the reply. We access svn through https://servername:portno/svn/foldername/ through tortoise client. It prompts for the username and pwd.. When we give username with no password, it enables us to access the folders.. If wrong pwd is supplied, it prompts back with a window again asking for username and pwd.    I have already checked the httpd conf file since we access svn through https. everything seems to be correct. Below is the conf file.. Let me know in case if I'm missing anything..    

<Location /svnold>
   DAV svn
   AuthLDAPEnabled on
   SVNListParentPath on
   SVNAutoversioning on
   SVNReposName "svn repository"
   SVNParentPath /app/svn/svnint/svnrepositories
   AuthLDAPAuthoritative on
   AuthType Basic
   AuthName "Subversion"
   AuthLDAPBindDN "cn=sso-abc,l=amer,dc=abc,dc=com"
   AuthLDAPBindPassword password
     
   AuthLDAPURL "ldapurl:636/DC=abc,DC=com?mail?sub?(objectClass=inetorgperson)"
   Require valid-user
   AuthzSVNAccessFile /app/svn/svnint/file
 </Location>

   AddExternalAuth ldap_auth "/usr/lib/httpd/modules/ldapauth.sh http://localhost:8080/project/servlet"  SetExternalAuthMethod ldap_auth pipe    

<Location /svn>
   DAV svn
   SVNListParentPath on
   SVNAutoversioning on
   SVNReposName "svn repository"
   SVNParentPath /app/svn/svnint/svnrepositories
   AuthType Basic
   AuthName "Subversion"
   AuthExternal ldap_auth
   Require valid-user
 
   AuthzSVNAccessFile /app/svn/svnint/file
 </Location>

     Thanks,  Shruthi

Hi Shruthi,  Everything looks pretty much correct according to when I've used LDAP authentication in Apache in the past, the only difference between what I used and your config is I have the line "AuthBasicProvider ldap" in my configs, could you try putting that in, and restarting Apache?

HI James,  Thanks for your reply.. I also would like to mention there is one more location tag.. I'm not sure for what this is used for.. Below is the one.. Can anyone please tell me, for what this is being used.. We have 2 servers.. one Dev and one Prod.. Dev doesnt have this below mentioned location directive.. It also doesnt have ADDEXTERNALAUTH directive.. Please let me know if u have any details.. Any help much appreciated..     DAV svn  SVNListParentPath on  SVNAutoversioning on  SVNReposName "svn repository"  SVNParentPath /app/svn/svnrepositories  AuthType Basic  AuthName "Subversion"  AuthMySQLHost localhost  AuthMySQLEnable On  AuthMySQLUser root  AuthMySQLPassword pwd  AuthMySQLDB auth  AuthMySQLUserTable clients  AuthMySQLNameField username  AuthMySQLPasswordField password  AuthMySQLNoPasswd On  AuthMySQLPwEncryption none  require valid-user  AuthzSVNAccessFile /app/file  Thanks, Shruthi

Hi Shruthi,  It looks like this second location tag is pointing to repositories stored at /app/svn/svnrepositories (instead of /app/svn/svnint/svnrepositories that /svn points to), it's also using MySQL authentication instead of LDAP authentication.