[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: [PATCH] sasl service name for svnserve

From: Катаргин Алексей <gureedo_at_chelcom.ru>
Date: Tue, 13 Apr 2010 10:33:47 +0600

-----Original Message-----
From: 'Stefan Sperling' [mailto:stsp_at_elego.de]
Sent: Monday, April 12, 2010 10:05 PM
To: Катаргин Алексей
Cc: dev_at_subversion.apache.org; noc_at_chelcom.ru
Subject: Re: [PATCH] sasl service name for svnserve

> On Mon, Apr 12, 2010 at 10:33:03AM +0600, Катаргин Алексей wrote:
> > -----Original Message-----
> > From: Stefan Sperling
> > >The patch looks technically correct, but I don't understand why it is
> > >needed. Can you explain why it is needed?
> > >
> > >It sounds to me as if you'd like to forward authentication requests
> > >from SASL to PAM. Why can't you achieve this by configuring SASL
> > >appropriately, without changing svn?
> > >
> > > (Note: I don't know much about SASL).
> > >
> > >Thanks,
> > >Stefan
> >
> > It's used to set access rights per each repository via chain sasl->pam
> Can you provide more details? What problem are you trying to solve?
> I know virtually *nothing* about SASL and PAM. In fact, no active developers
> of svn know about SASL (the person who added SASL support isn't active
> anymore). That's why your patch hasn't been looked at so far. I'm tyring
> to review it, but I lack the necessary knowledge to do so. You'll have
> to teach me to understand the purpose of your patch.
> So, based on me knowing nothing at all, please explain:
> - your SASL and PAM setup
> - what problem existed in your SASL/PAM setup that prompted you
> to write the patch
> - why you think the patch is the right way to fix this problem
> - can you think of any alternative approaches of fixing this problem?
> It needs more than one sentence to explain all this, sorry.
> But we'll need your help to understand your contribution.
> Otherwise it will likely end up not being committed until someone
> who knows SASL can explain to us why your patch is a good idea,
> or until I found enough time to learn enough about SASL and PAM
> so I can make my own judgement.
> Thanks,
> Stefan

Let me explain.
The real chain of authentication is slightly longer.
"svnserve -> sasl -> pam -> pam_radius -> radius"
I will not say anything about of the radius config
in this message.

The goal was to ensure that authentication in radius
assisted with the service name is assigned to the
Service name used in radius to AUTHORIZE user, not only
authenticate by login and password!
The easiest way was to send auth through sasl,
and then to pam, and then in radius and with all
this is to pass the service name.

If it is not enough, ask me something specific.

-- machine translation by google translate
Received on 2010-04-13 06:34:13 CEST

This is an archived mail posted to the Subversion Dev mailing list.