[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Server-side Cyrus SASL support

From: Garrett Rooney <rooneg_at_electricjellyfish.net>
Date: 2006-08-29 22:21:17 CEST

On 8/29/06, Vlad Georgescu <vgeorgescu@gmail.com> wrote:

> Ouch. I don't know if it's related to the crash or not, but I noticed
> I forgot to do any error-checking when calling sasl_init() in main. So
> SASL might not have been initialized.

That could certainly be an issue.

> OTOH, it's probably not a good idea to initialize SASL in main anyway,
> because it's a potentially expensive operation (it loads a bunch of
> plugins, which might have their own dependencies etc.). That wouldn't
> be nice to people who run svn over ssh and/or don't care about Cyrus
> SASL. We could instead do the initialization in sasl_auth_request
> using svn_atomic_init_once, like we do on the client side. Thoughts?

I'd suggest making it work in main() first, then later moving to
something more complex ;-)

> > I've got anon-access = none and auth-access = write turned on in
> > svnserve.conf, and use-sasl = true set. In my
> > /usr/lib/sasl2/Subversion.conf file I have the following:
> >
> > pwcheck_method: auxprop
> > mech_list: DIGEST-MD5 ANONYMOUS
> >
> > And I gave myself a username and password via saslpasswd2, although I
> > haven't actually got myself to the point of being prompted for it.
> >
> > Other than the crash, a few questions. Why is the config file
> > capitalized? Is that a convention with SASL conf files? We've stuck
> > to all lowercase so far.
> Ok, I'll change it to lowercase.
> > Also, why do I have to run saslpasswd2 as
> > root? Is that normal? How do people generally control their sasl
> > passwords?
> I suppose saslpasswd2 is meant to be used by a system administrator.

Hmm. That's too bad. I suppose if you want the users to have the
ability to change their passwords you'll have to use a sasl config
that uses PAM or LDAP or something.

> > Also, one compile warning I noticed. In sasl_auth_request there's the
> > following bit of code:
> >
> > char *p;
> > const char *user;
> >
> > /* Get the authenticated username. */
> > result = sasl_getprop(sasl_ctx, SASL_USERNAME, (const void **)&user);
> >
> > This produces a warning about type punned pointers, you can avoid that
> > by passing a const void * instead of user, and then assigning it to
> > user later. I also find it a little odd that result is never checked
> > in that function...
> Yup, I'll have to fix that. Thanks.

Great! Looking forward to the next rev of this patch.


To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Aug 29 22:27:26 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.