[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: How to authenticate Subversion with SASL2 + LDAP

From: Johan Corveleyn <johan.corveleyn_at_uz.kuleuven.ac.be>
Date: Mon, 25 Jan 2010 09:50:30 +0100

[sending to users_at_subversion.apache.org, iso users_at_subversion.tigris.org (which is closed)]

Hi Mark,

I'm sorry, I have no experience getting SASL to work with pam. But I remember having read some things about pam in the Cyrus SASL documentation pages (included with the distribution I think). So I suppose it should work.

Maybe someone else on the (correct) subversion users list can help you?

You could also have a look at the cyrus-sasl mailing list and/or archive: http://cyrusimap.web.cmu.edu/lists.html

Regards,
Johan

> -----Oorspronkelijk bericht-----
> Van: grimm26_at_gmail.com [mailto:grimm26_at_gmail.com] Namens Mark Keisler
> Verzonden: zondag 24 januari 2010 20:05
> Aan: Johan Corveleyn
> CC: info_at_pablorizzo.com; users_at_subversion.tigris.org
> Onderwerp: Re: How to authenticate Subversion with SASL2 + LDAP
>
> On Mon, Jun 15, 2009 at 9:36 AM, Johan Corveleyn
> <johan.corveleyn_at_uz.kuleuven.ac.be> wrote:
> > -----Oorspronkelijk bericht-----
> > Van: rizzopablo_at_gmail.com [mailto:rizzopablo_at_gmail.com] Namens Pablo
> > Manuel Rizzo
> > Verzonden: donderdag 11 juni 2009 16:15
> > Aan: users_at_subversion.tigris.org
> > Onderwerp: Re: How to authenticate Subversion with SASL2 + LDAP
> >
> > On Thu, Jun 11, 2009 at 11:03, Stefan Sperling <stsp_at_elego.de> wrote:
> >
> >
> >       On Thu, Jun 11, 2009 at 10:43:13AM -0300, Pablo Manuel Rizzo
> > wrote:
> >       >    Hey Andrey, first you say it's not possible, now you say
> > it's all there.
> >       >    Is something wrong with you?
> >
> >
> >       I'd say he just didn't know that SASL auth was added to svnserve.
> >       It's a new feature.
> >
> >
> >       >    Does anybody know how to use sasl to authenticate subversion
> > with ldap?
> >
> >
> >       The book suggests that you read the SASL documentation to
> >       find out how to configure a given authentication scheme.
> >       Have you read this part of the svnbook?
> >
> >       I quote http://svnbook.red-
> > bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svn
> > serve.sasl
> >
> >        Because SASL provides so many different kinds of authentication
> > mechanisms, it
> >        would be foolish (and far beyond the scope of this book) to try
> > to describe
> >        every possible server-side configuration. Instead, we recommend
> > that you read
> >        the documentation supplied in the doc/ subdirectory of the SASL
> > source code. It
> >        goes into great detail about every mechanism and how to
> > configure the server
> >        appropriately for each.
> >
> >       Have you tried that?
> >
> >
> >
> > Yes, sasl documentation is quite poor, there are no quick tips or how
> > tos. I see many people in this list and many others and forums is
> > looking for a quick how-to too. If someone in this list was able to
> > make it work and is willing to share how, it would be very nice and
> > usefull to publish this information somewhere.
> >
> SASL documentation is indeed very poor, and certainly when you're trying to
> focus on use of LDAP with svnserve. You have to learn all about the different
> password exchange mechanisms (plain, md5-digest, cram-digest, ...) figuring
> out all about saslauthd and other stuff, while all you want to know is: where
> do I configure the LDAP server, bind dn and bind password and stuff like that
> (like with Apache + LDAP).
>
> Short answer: it's not possible, unless you apply a specific patch and build
> svn server from source. See e.g. http://svn.haxx.se/dev/archive-2008-
> 01/0719.shtml. I haven't tried it myself though (can't compile from source).
>
> The reason why it's not possible, despite what the documentation of SVN says?
> Read the "Known Issues" in
> http://svn.collab.net/repos/svn/trunk/notes/sasl.txt:
> -----
> ...
> As a consequence, you won't be able to use the saslauthd daemon to
> authenticate users, because that method only works with plain text passwords.
> -----
> And it just so happens that LDAP authentication only works with saslauthd
> (and plain text passwords).
>
> This was one of my major frustrations when trying to get SVN up and running
> for the first time. We wanted to go for svnserve to get the last drop of
> performance out of it (and seemingly simple to set up). I lost days and days
> looking for a solution, why it wouldn't work despite following carefully the
> SASL instructions, ... until I found that "known issue" in the sasl.txt file.
> In the end we switched to Apache just for this (I have not regretted it, but
> just the time I lost with that ... I would have liked to have known this
> beforehand).
>
> The SVN devs could do current and future SVN users, administrators, ... a big
> service by clearly documenting this! Please put this in big bold letters in
> the book: svnserve + SASL + LDAP is not supported. Don't let people work on
> this assumption until they find the small print in that sasl.txt file. Please
> don't act in the book like all the SASL mechanisms are supported, because
> they clearly are not.
>
> And if it ever would be supported: please provide a simple example in the
> book for getting this up and running.
>
> Kind regards,
> Johan
>

Sorry to revive an old thread, but can you use SASL auth with pam backend and
use pam_ldap? Personally, I alerady use pam_ldap for auth on my server
(which also helps support svn+ssh for those that don't use keys).
Received on 2010-01-25 10:23:57 CET

This is an archived mail posted to the Subversion Users mailing list.