[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: New (1.5) feature questions -- things we need to address before a release can happen

From: Vlad Georgescu <vgeorgescu_at_gmail.com>
Date: 2007-05-25 17:50:00 CEST

Mark Phippard wrote:
> On 5/25/07, Vlad Georgescu <vgeorgescu@gmail.com> wrote:
>> Mark Phippard wrote:
>>> [...]
>>> SASL
>>> Where is the notes file that explains the feature? What can you do
>>> with it? Does it, or does it not support TLS or SSL? Does it work on
>>> Windows? What is involved in bulding support for it into the client
>>> and server? What happens if client and server do not both have the
>>> support compiled in? How does one set it up etc. Given that we are
>>> reasonably close to a 1.5 release this information should all be
>>> readily available.
>> I added a file (notes/sasl.txt) in r25148 that I think addresses these
>> issues. Reviews are welcome.
> Thanks, it is a good document. I do have some questions/comments.
> 1) What controls which auth mechanisms the client supports? It must
> be something about how SASL that the client is using was compiled?

The client supports the CRAM-MD5 and ANONYMOUS mechanisms (these are
built into Subversion, so you don't need the corresponding SASL
plugins), plus any other mechanisms that SASL was built/installed with.

> 2) It seems like we really need to provide a pre-built library for
> Windows. There has been talk about doing this for all our
> dependencies which would be a good idea.

Yes, we certainly need a pre-built SASL library for Windows, with as
many plugins as possible. We should also add the SASL library and
plugins to the installer in order to be able to set SASL's registry keys
at installation time.

On Windows you should be able to do some cool things, like use the
GSSAPI mechanism to do single sign-on authentication against Active
Directory. This will only happen if we provide pre-built binaries.

> 3) As I think I understand it, the auth mechanism is not bound to the
> back-end store being used? So for example, you could use LDAP as the
> user store, and still support the CRAM-MD5 auth mechanism which would
> allow older clients to connect using their LDAP credentials? Server
> could also offer additional auth mechanisms for the newer clients?

I think SASL will simply "forward" authentication to the LDAP server, so
you should be able to use CRAM-MD5 with LDAP (LDAP also uses SASL), even
with older clients. Newer clients will be able to use the more advanced

> 4) Encryption. Is there any other configuration involved, such as
> certificates? What exactly is encrypted? The svnserve traffic? Just
> the auth traffic? Just the post-auth traffic?

Just the post-auth traffic. No certificates are required, the
encryption key is derived from the password.

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri May 25 17:50:19 2007

This is an archived mail posted to the Subversion Dev mailing list.