[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Make SASL mechanism negotiation smarter

From: Vlad Georgescu <vgeorgescu_at_gmail.com>
Date: 2006-10-11 20:07:19 CEST

On 10/11/06, Malcolm Rowe <malcolm-svn-dev@farside.org.uk> wrote:
> On Wed, Oct 11, 2006 at 06:53:17PM +0300, Vlad Georgescu wrote:
> > On 10/11/06, Malcolm Rowe <malcolm-svn-dev@farside.org.uk> wrote:
> > >$ basic_tests.py --url=svn://localhost:3691 1
> > >../svn-trunk/subversion/libsvn_ra_svn/sasl_auth.c:339: (apr_err=170001)
> > >svn: SASL(-4): no mechanism available: No worthy mechs found
> > >FAIL: basic_tests.py 1: basic checkout of a wc
> >
> > You shouldn't have to configure anything. A SASL-enabled svn is
> > supposed to be backward compatible with old servers _if_ the ANONYMOUS
> > and CRAM-MD5 plugins are installed on the system. (SASL mechanisms are
> > implemented as plugins which are dynamically loaded at runtime by the
> > main sasl lib). In your case, it's probably caused by a missing
> > ANONYMOUS plugin (there should be a libanonymous.so in
> > /usr/lib/sasl2).
> >
>
> Ah, that'll be it. I have no libanonymous.so, and unfortunately my
> distro in this case (Slackware) doesn't seem to provide it at all.
>
> I'll ask why not - there could be a good reason, I guess - but it would
> also be nice if we didn't just fall in a heap in this case.
>
> > >[Incidentally, I presume that these are done on a per-service basis or
> > >similar? We're not going to ship in a mode that suddenly allows every
> > >valid account in /etc/passwd to commit to a repository, are we?]
> >
> > Yes, configuring the range of allowed mechanisms and the
> > password-checking method is done in a configuration file specific to
> > Subversion (usually /usr/lib/sasl2/subversion.conf).
> >
>
> So if I wasn't authenticating via the SASL2 anonymous plugin (which I
> guess then ends up at our internal anonymous or cram-md5 auth?), I would
> have to create a system-wide config file before I could use any of the
> other SASL mechanisms?

To clarify:

- the SASL anonymous plugin doesn't have anything to do with the
internal anonymous/cram-md5 auth; it's just a simple implementation of
the SASL plugin API; in fact, the old code (located in
libsvn_ra_svn/simple_auth.c) isn't even compiled when SASL is
detected; both simple_auth.c and sasl_auth.c implement the function
svn_ra_svn__do_auth, but in different ways.

- the configuration file is only necessary on the server side; its
format is described here:
http://www.sendmail.org/~ca/email/cyrus2/options.html

You might also want to read these first:
http://www.sendmail.org/~ca/email/cyrus2/components.html
http://www.sendmail.org/~ca/email/cyrus2/sysadmin.html

I described a simple setup in my original server-side patch:
http://svn.haxx.se/dev/archive-2006-08/0613.shtml

-- 
Vlad
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Oct 11 20:08:04 2006

This is an archived mail posted to the Subversion Dev mailing list.