This patch adds Cyrus SASL support to svnserve. Security layers are
not supported yet - I'll submit another patch for that when this one
gets the 'stamp of approval'.
[[[
* subversion/include/svn_config.h
(SVN_CONFIG_SECTION_SASL): New section.
(SVN_CONFIG_OPTION_USE_SASL): New option.
* subversion/libsvn_repos/repos.c
(create_conf): Document the new option.
* subversion/svnserve/sasl_auth.c: New file.
* subversion/svnserve/main.c
(main): Call sasl_init().
* subversion/svnserve/serve.c:
(server_baton_t, authn_type, authz_type, get_access): Moved to server.h.
(simple_auth_request): Contains the code that was prieviously in auth_request.
(auth_request): Call sasl_auth_request() or simple_auth_request().
(must_have_access): Consider the value of b->use_sasl when
determining whether authentication should be performed.
(find_repos): Read the value of the use-sasl option into b->use_sasl.
Use that value when determining whether access is allowed to the repository.
* subversion/svnserve/server.h
(server_baton_t): Moved here from serve.c. Has a new member 'use_sasl'
(authn_type, authz_type, get_access): Moved here from serve.c.
(sasl_init, sasl_auth_request): New declarations.
]]]
SASL supports many password-checking methods. It can use an external
daemon saslauthd that can authenticate against /etc/shadow, PAM, LDAP,
etc. It only works with plaintext passwords, though, so we can't use
it until we have SSL support in for ra_svn. Until then, we have to use
the other method, auxprop, which fetches passwords from a database
(which is usually stored in /etc/sasldb2, but could also be an
external SQL server, or a LDAP database)
To test this patch, create a configuration file Subversion.conf in
/usr/lib/sasl2. This file will be read by Cyrus SASL at runtime to
determine how authentication should be performed.
See the SASL docs for more details. A simple example could be:
pwcheck_method: auxprop
mech_list: DIGEST-MD5 ANONYMOUS
Then add users and passwords to Cyrus SASL's password database:
saslpasswd2 -c user -u realm -a Subversion
where 'realm' is the actual realm of your repository.
Just like Subversion, Cyrus SASL supports the concept of
"authentication realms". In fact, svnserve will treat the repository
realm as a SASL realm when authenticating the user. This is necessary
because the password database is global instead of per-repository, so
it's the only way for Subversion to tell which users belong to which
repository.
Comments and criticism are welcome, as always.
--
Vlad
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Aug 21 11:40:22 2006