RE: How to authenticate Subversion with SASL2 + LDAP

> -----Oorspronkelijk bericht-----
> Van: rizzopablo_at_gmail.com [mailto:rizzopablo_at_gmail.com] Namens Pablo
> Manuel Rizzo
> Verzonden: donderdag 11 juni 2009 16:15
> Aan: users_at_subversion.tigris.org
> Onderwerp: Re: How to authenticate Subversion with SASL2 + LDAP
>
> On Thu, Jun 11, 2009 at 11:03, Stefan Sperling <stsp_at_elego.de> wrote:
>
>
> On Thu, Jun 11, 2009 at 10:43:13AM -0300, Pablo Manuel Rizzo
> wrote:
> > Hey Andrey, first you say it's not possible, now you say
> it's all there.
> > Is something wrong with you?
>
>
> I'd say he just didn't know that SASL auth was added to svnserve.
> It's a new feature.
>
>
> > Does anybody know how to use sasl to authenticate subversion
> with ldap?
>
>
> The book suggests that you read the SASL documentation to
> find out how to configure a given authentication scheme.
> Have you read this part of the svnbook?
>
> I quote http://svnbook.red-
> bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svn
> serve.sasl
>
> Because SASL provides so many different kinds of authentication
> mechanisms, it
> would be foolish (and far beyond the scope of this book) to try
> to describe
> every possible server-side configuration. Instead, we recommend
> that you read
> the documentation supplied in the doc/ subdirectory of the SASL
> source code. It
> goes into great detail about every mechanism and how to
> configure the server
> appropriately for each.
>
> Have you tried that?
>
>
>
> Yes, sasl documentation is quite poor, there are no quick tips or how
> tos. I see many people in this list and many others and forums is
> looking for a quick how-to too. If someone in this list was able to
> make it work and is willing to share how, it would be very nice and
> usefull to publish this information somewhere.
>

SASL documentation is indeed very poor, and certainly when you're trying to focus on use of LDAP with svnserve. You have to learn all about the different password exchange mechanisms (plain, md5-digest, cram-digest, ...) figuring out all about saslauthd and other stuff, while all you want to know is: where do I configure the LDAP server, bind dn and bind password and stuff like that (like with Apache + LDAP).

Short answer: it's not possible, unless you apply a specific patch and build svn server from source. See e.g. http://svn.haxx.se/dev/archive-2008-01/0719.shtml. I haven't tried it myself though (can't compile from source).

The reason why it's not possible, despite what the documentation of SVN says? Read the "Known Issues" in http://svn.collab.net/repos/svn/trunk/notes/sasl.txt:
-----
...
As a consequence, you won't be able to use the saslauthd daemon to
authenticate users, because that method only works with plain text passwords.
-----
And it just so happens that LDAP authentication only works with saslauthd (and plain text passwords).

This was one of my major frustrations when trying to get SVN up and running for the first time. We wanted to go for svnserve to get the last drop of performance out of it (and seemingly simple to set up). I lost days and days looking for a solution, why it wouldn't work despite following carefully the SASL instructions, ... until I found that "known issue" in the sasl.txt file. In the end we switched to Apache just for this (I have not regretted it, but just the time I lost with that ... I would have liked to have known this beforehand).

The SVN devs could do current and future SVN users, administrators, ... a big service by clearly documenting this! Please put this in big bold letters in the book: svnserve + SASL + LDAP is not supported. Don't let people work on this assumption until they find the small print in that sasl.txt file. Please don't act in the book like all the SASL mechanisms are supported, because they clearly are not.

And if it ever would be supported: please provide a simple example in the book for getting this up and running.

Kind regards,
Johan

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2362221

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-06-15 17:37:31 CEST