What options are there for authenticating Subversion against an Active Directory Domain?

Thanks to the Apache project and other Open Source projects, there are multiple options, including LDAP, SSPI, and Kerberos.

The first option is accessing AD users and groups via LDAP. This works for both *Nix and win32 variants. It is also relatively simple to configure and well documented.

Example Apache configuration block:

<Location /svn/>
       # normal SVN configuration options snipped
       AuthBasicProvider ldap
       # Require ldap-group cn=groupname, o=orgunit
       Require valid-user
       # basic user authentication
       AuthType Basic
       AuthName &#034;LDAP Subversion repository&#034;
       AuthLDAPBindDN &#034;user@domain&#034;
       AuthLDAPBindPassword password
       # Define LDAP query for authenticating against Active Directory
       AuthLDAPURL ldap://ad.example.com/DC=svnusers,DC=example,DC=com?sAMaccountName?sub?(objectClass=*) 
</Location>

A second option, for win32 servers, is to use mod_auth_SSPI. This uses the NTLM protocol across the wire to authenticate windows clients against their login session.

Pros: Simple configuration
Cons: Only works for domain clients, only works for win32 servers
Gotchas : have to have the SVN server in the site lists for Trusted or Intranet realms

Example:

<Location /svn/>
    # normal SVN configuration options snipped
    SSPIAuth On
    SSPIDomain example.com
    SSPIPerRequestAuth On
</Location>

The third option is to use Kerberos authentication. If you are operating a mixed Win32/*Nix environment, this is likely already configured and can be leveraged. If this is the path you wish proceed down, please contact Support for more information.

Pros: Completely cross-platform and transparent when configured correctly
Cons: Incorrect configuration can be tricky to troubleshoot.

All of these options are fully supported via the Open Source Subversion support package. The CollabNet Binary support does not cover SSPI nor Kerberos, but it can be used via LDAP.