[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] Server-side Cyrus SASL support

From: Vlad Georgescu <vgeorgescu_at_gmail.com>
Date: 2006-08-21 11:39:38 CEST

This patch adds Cyrus SASL support to svnserve. Security layers are
not supported yet - I'll submit another patch for that when this one
gets the 'stamp of approval'.

[[[
* subversion/include/svn_config.h
  (SVN_CONFIG_SECTION_SASL): New section.
  (SVN_CONFIG_OPTION_USE_SASL): New option.

* subversion/libsvn_repos/repos.c
  (create_conf): Document the new option.

* subversion/svnserve/sasl_auth.c: New file.

* subversion/svnserve/main.c
  (main): Call sasl_init().

* subversion/svnserve/serve.c:
  (server_baton_t, authn_type, authz_type, get_access): Moved to server.h.
  (simple_auth_request): Contains the code that was prieviously in auth_request.
  (auth_request): Call sasl_auth_request() or simple_auth_request().
  (must_have_access): Consider the value of b->use_sasl when
  determining whether authentication should be performed.
  (find_repos): Read the value of the use-sasl option into b->use_sasl.
  Use that value when determining whether access is allowed to the repository.

* subversion/svnserve/server.h
  (server_baton_t): Moved here from serve.c. Has a new member 'use_sasl'
  (authn_type, authz_type, get_access): Moved here from serve.c.
  (sasl_init, sasl_auth_request): New declarations.
]]]

SASL supports many password-checking methods. It can use an external
daemon saslauthd that can authenticate against /etc/shadow, PAM, LDAP,
etc. It only works with plaintext passwords, though, so we can't use
it until we have SSL support in for ra_svn. Until then, we have to use
the other method, auxprop, which fetches passwords from a database
(which is usually stored in /etc/sasldb2, but could also be an
external SQL server, or a LDAP database)

To test this patch, create a configuration file Subversion.conf in
/usr/lib/sasl2. This file will be read by Cyrus SASL at runtime to
determine how authentication should be performed.
See the SASL docs for more details. A simple example could be:

pwcheck_method: auxprop
mech_list: DIGEST-MD5 ANONYMOUS

Then add users and passwords to Cyrus SASL's password database:

saslpasswd2 -c user -u realm -a Subversion

where 'realm' is the actual realm of your repository.
Just like Subversion, Cyrus SASL supports the concept of
"authentication realms". In fact, svnserve will treat the repository
realm as a SASL realm when authenticating the user. This is necessary
because the password database is global instead of per-repository, so
it's the only way for Subversion to tell which users belong to which
repository.

Comments and criticism are welcome, as always.

-- 
Vlad


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Mon Aug 21 11:40:22 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.