[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: subversion + openldap

From: John Peacock <jpeacock_at_rowman.com>
Date: 2007-08-17 18:27:19 CEST

Dan Bahena wrote:
>> When I try do to a checkout, I get this message:
>> [dan_at_danb tmp]$ svn co https://camhub.hostname.com/repos
>> Error validating server certificate for
>> 'https://camhub.hostname.com:443':
>> - The certificate is not issued by a trusted authority. Use the
>> fingerprint to validate the certificate manually!
>> - The certificate hostname does not match.
>> Certificate information:
>> - Hostname: localhost.localdomain
>> - Valid: from Jun 5 13:54:58 2007 GMT until Jun 4 13:54:58 2008 GMT
>> - Issuer: SomeOrganizationalUnit, SomeOrganization, SomeCity,
>> SomeState, --
>> - Fingerprint:
>> 87:eb:e1:c4:e3:c4:66:4c:e8:6a:24:3a:bb:24:4a:73:6d:76:5e:2e
>> (R)eject, accept (t)emporarily or accept (p)ermanently? p

Just to make this absolutely clear, the above error messages have
*absolutely* nothing to do with LDAP. If you want to use a selfsigned
certificate, you should make sure to follow exactly the same rules for
an external CA signed certificate:

1) the hostname for that server must be set up correctly in DNS;
2) the certificate CN (Common Name) must match the hostname from #1.

Accepting the cert permanently will only really deal with the "not
issued by a trusted authority" piece; you will probably still get errors
for the "certificate hostname does not match" problem. It is easy
enough to set things up correctly. I use an internal CA to sign
certificates for internal sites and distribute the public-CA file to all
of our internal users.

>> Authentication realm: <https://camhub.hostname.com:443> Subversion repos
>> Password for 'dan':
>> Authentication realm: <https://camhub.hostname.com:443> Subversion repos
>> Username: dan
>> Password for 'dan':
>> Authentication realm: <https://camhub.hostname.com:443> Subversion repos

To resolve /this/ problem, what you should do is to get a LDAP client of
some sort and attempt to authenticate outside of Subversion. Only when
you confirm that you have LDAP configured correctly to allow remote
logins should you then try to use LDAP with Subversion. I suspect that
you are searching on the wrong attribute (I think the default is CN, but
you may need to use UID instead). FWIW, we are authenticating against a
Novell eDirectory instance using LDAP just fine.

John

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD  20706
301-459-3366 x.5010
fax 301-429-5748
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Aug 17 18:25:17 2007

This is an archived mail posted to the Subversion Users mailing list.