[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve SASL documentation?

From: Eric Gillespie <epg_at_pretzelnet.org>
Date: 2007-04-10 23:42:49 CEST

Malcolm Rowe <malcolm-svn-dev@farside.org.uk> writes:

> On Tue, Apr 10, 2007 at 02:15:03PM -0700, Eric Gillespie wrote:
> > > For example, could we get a list of the client mechs and return those to
> > > the user when we get the 'no mechs' message? How about the server mechs?
> >=20
> > What would the user do with that information?
> >=20
>
> Work out whether they've configured SASL correctly? We're relying on a

Oh, i see you meant "admin trying to configure SASL" whereas i
was thinking "poor clueless svn user". Right, i agree that
having this kind of error reporting would be useful.

> shared resource - the SASL configuration - and asking the SASL libraries
> to 'do authn' for us (that being, after all, the whole point of SASL).
> Someone setting up a SASL-enabled server _needs_ to understand how to
> configure SASL in the first place, and I'm just suggesting that we could
> go some way to help them understand what's happening.
>
> For example, if you got something like the following:
>
> svn: auth error: no worthy mechs [or whatever it says now, followed by:]
> Client authentication mechanisms: { ANONYMOUS, CRAM-MD5 }
> Server authentication mechanisms: { KERB-MIT }
>
> Or, another example: this is what you'd get with a current Slackware
> installation when there's no authn on the repository: [1]
>
> svn: auth error: no worthy mechs
> Client authentication mechanisms: { CRAM-MD5 }
> Server authentication mechanisms: { ANONYMOUS }
>
> At least you have _some_ idea why the authentication couldn't start.
>
>
> (Hmm, if we had an svnserve log, we could also log some useful stuff there.)
>
> [1] Slackware doesn't ship the ANONYMOUS SASL plugin, so we can't do
> SASL-enabled ANONYMOUS authn. Vlad actually fixed this recently so that
> the client and server (I think) can fall back to the inbuilt 'native'
> auth if the SASL exchange couldn't continue, so this example's now bogus,
> but you get the idea.
>
> Regards,
> Malcolm
>
> --Y5rl02BVI9TCfPar
> Content-Type: application/pgp-signature
> Content-Disposition: inline
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
>
> iD8DBQFGHAGjofziUTPTgAgRArQRAKCQ/iv2jO2z2ziP8O5zrhMKliH6IwCg910L
> jtM2OnHIr5NN0QKk9yszABo=
> =bwoF
> -----END PGP SIGNATURE-----
>
> --Y5rl02BVI9TCfPar--

--
Eric Gillespie <*> epg@pretzelnet.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Apr 10 23:44:10 2007

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.