Re: svnserve SASL documentation?

On Tue, Apr 10, 2007 at 02:15:03PM -0700, Eric Gillespie wrote:
> > For example, could we get a list of the client mechs and return those to
> > the user when we get the 'no mechs' message? How about the server mechs?
>
> What would the user do with that information?
>

Work out whether they've configured SASL correctly? We're relying on a
shared resource - the SASL configuration - and asking the SASL libraries
to 'do authn' for us (that being, after all, the whole point of SASL).
Someone setting up a SASL-enabled server _needs_ to understand how to
configure SASL in the first place, and I'm just suggesting that we could
go some way to help them understand what's happening.

For example, if you got something like the following:

  svn: auth error: no worthy mechs [or whatever it says now, followed by:]
  Client authentication mechanisms: { ANONYMOUS, CRAM-MD5 }
  Server authentication mechanisms: { KERB-MIT }

Or, another example: this is what you'd get with a current Slackware
installation when there's no authn on the repository: [1]

  svn: auth error: no worthy mechs
  Client authentication mechanisms: { CRAM-MD5 }
  Server authentication mechanisms: { ANONYMOUS }

At least you have _some_ idea why the authentication couldn't start.

(Hmm, if we had an svnserve log, we could also log some useful stuff there.)

[1] Slackware doesn't ship the ANONYMOUS SASL plugin, so we can't do
SASL-enabled ANONYMOUS authn. Vlad actually fixed this recently so that
the client and server (I think) can fall back to the inbuilt 'native'
auth if the SASL exchange couldn't continue, so this example's now bogus,
but you get the idea.

Regards,
Malcolm