Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Christer Grimsæth wrote: > 1) Whitch protocoll do I use? > We're thinking of using the (new) sserver (SSL) protocol. Does this sound > resonable? Seems OK. If you want real security make sure the clients are set to check the server certificate (there's a registry setting to make this the default on the clients - see the ReadMe file in the wiki) & give the server a valid certificate. > Is it possible to use the sspi protocol in this setup? (Remember the > server is not in our NT-domain). Yes - if you just add users on the cvs server they'll validate using SSPI. Not as secure as sserver (no endpoint validation so you're open to DNS spoofing etc.) but much more convenient. > 2) Should I use the "passwd" file or should I create every user on the > windows box? With sspi you have no choice - the users must all exist on the machine. With sserver it really depends on what you want to do with them. > If we use the passwd file, can I share it between multiple cvs > repositories? If we are _not_ using the passwd file, can we still use the > "cvs passwd" command ? No - 'cvs passwd' modifies CVS specific users only... there are lots of remote admin tools for NT that'll do the same for NT Users. > 3) How do I grant access (None, Read and Write) to repositories? And to > modules inside repositories? > Do I need the "group" file for this, or do I only use NT groups (and NTFS > access)? NTFS access is better from a security point of view - cvs acls are really designed only as a backup for doing things like locking individual branches. > As you can understand, I'm mostly conserned about the "managebility" and > administrative effort needed to get this up and running. I would realy > like to be able to "disable a user", configure "password expire" for a > user, grant "write access to rep A on module xyz", and so on... If you want expiry, auditing and things like that you're pretty much forced to use NT users.. the cvs user mechanism isn't designed to work at that level. If your machine is a Win2000 machine you should be able to do all the user admin via the Active Directory.. usrmgr.exe can be persuaded to do the same thing under NT4 sometimes. If you have secure VPN access to the machine it's much safer to rely on NT security to handle the permissions (then use sserver for the users to connect as above). Tony