[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Make SASL mechanism negotiation smarter

From: Malcolm Rowe <malcolm-svn-dev_at_farside.org.uk>
Date: 2006-10-11 18:18:42 CEST

On Wed, Oct 11, 2006 at 06:53:17PM +0300, Vlad Georgescu wrote:
> On 10/11/06, Malcolm Rowe <malcolm-svn-dev@farside.org.uk> wrote:
> >$ basic_tests.py --url=svn://localhost:3691 1
> >../svn-trunk/subversion/libsvn_ra_svn/sasl_auth.c:339: (apr_err=170001)
> >svn: SASL(-4): no mechanism available: No worthy mechs found
> >FAIL: basic_tests.py 1: basic checkout of a wc
>
> You shouldn't have to configure anything. A SASL-enabled svn is
> supposed to be backward compatible with old servers _if_ the ANONYMOUS
> and CRAM-MD5 plugins are installed on the system. (SASL mechanisms are
> implemented as plugins which are dynamically loaded at runtime by the
> main sasl lib). In your case, it's probably caused by a missing
> ANONYMOUS plugin (there should be a libanonymous.so in
> /usr/lib/sasl2).
>

Ah, that'll be it. I have no libanonymous.so, and unfortunately my
distro in this case (Slackware) doesn't seem to provide it at all.

I'll ask why not - there could be a good reason, I guess - but it would
also be nice if we didn't just fall in a heap in this case.

> >[Incidentally, I presume that these are done on a per-service basis or
> >similar? We're not going to ship in a mode that suddenly allows every
> >valid account in /etc/passwd to commit to a repository, are we?]
>
> Yes, configuring the range of allowed mechanisms and the
> password-checking method is done in a configuration file specific to
> Subversion (usually /usr/lib/sasl2/subversion.conf).
>

So if I wasn't authenticating via the SASL2 anonymous plugin (which I
guess then ends up at our internal anonymous or cram-md5 auth?), I would
have to create a system-wide config file before I could use any of the
other SASL mechanisms?

> >Can we not fall back to the previous authentication mechanism if SASL
> >doesn't have any matching authentication mechanisms?
>
> I think it's simpler to just require users to have those plugins
> installed than to complicate the SASL implementation.
>

I'm not sure I agree, but I'll see if I can find out why Slackware
doesn't ship with that plugin.

Regards,
Malcolm

  • application/pgp-signature attachment: stored
Received on Wed Oct 11 18:19:03 2006

This is an archived mail posted to the Subversion Dev mailing list.