[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve and sasl cross-realm (was: svnserve and ldap status ?)

From: Stefan Sperling <stsp_at_elego.de>
Date: Tue, 4 May 2010 16:22:39 +0200

On Tue, Mar 23, 2010 at 10:16:25PM +0100, Stefan Sperling wrote:
> On Tue, Mar 23, 2010 at 03:58:50PM -0500, Alec Kloss wrote:
> > Now please see attached.
>
> Thanks. I'll try to look at this soon.
>
> I've also downloaded a couple of related RFCs (e.g. RFC4422) for reference,
> as well as cyrus-sasl source code -- the binaries are already installed cause
> sendmail uses them, but I've never used SASL for anything other than smtp
> auth with sendmail, and that is pretty simple to set up.

I've given this a look today.

The SASL documentation mentions that cross-realm support depends on
the application, so your approach at solving the problem in Subversion
is correct.

What worries me is that your patch to the SASL gssapi module is needed
to make use of cross-realm authentication with Kerberos.
It seems the SASL developers have not responded to your patch (at least
they did not respond publicly):
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=9372
Do you have an idea about whether the patch will be applied to SASL?

Is there any useful purpose for cross-realm authentication without
using Kerberos? If so, can you suggest a way for me to test this
without patching SASL? If not, I'd rather wait for your gssapi patch
to be included in SASL before adding support for this to Subversion.
We can't require all users to patch SASL...

(The gssapi patch in the script you attached is reversed, BTW.)

Thanks,
Stefan
Received on 2010-05-04 16:28:16 CEST

This is an archived mail posted to the Subversion Dev mailing list.