[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: How to authenticate Subversion with SASL2 + LDAP

From: Mark Keisler <mark_at_mitsein.net>
Date: Mon, 25 Jan 2010 07:11:20 -0600

I'm also using apache to authen svn against LDAP, but using apache (DAV) to
access SVN is damn slow. I recommend my users to use svn+ssh but it would
be much simpler (especially for windows users) to be able to use plain
svn:// (which I currently do not support).

On Mon, Jan 25, 2010 at 6:02 AM, Pablo Manuel Rizzo <info_at_pablorizzo.com>wrote:

> I'm using apache to authenticate svn against ldap.
>
>
>
>
> On Mon, Jan 25, 2010 at 05:50, Johan Corveleyn <
> johan.corveleyn_at_uz.kuleuven.ac.be> wrote:
>
>> [sending to users_at_subversion.apache.org, iso users_at_subversion.tigris.org(which is closed)]
>>
>> Hi Mark,
>>
>> I'm sorry, I have no experience getting SASL to work with pam. But I
>> remember having read some things about pam in the Cyrus SASL documentation
>> pages (included with the distribution I think). So I suppose it should work.
>>
>> Maybe someone else on the (correct) subversion users list can help you?
>>
>> You could also have a look at the cyrus-sasl mailing list and/or archive:
>> http://cyrusimap.web.cmu.edu/lists.html
>>
>> Regards,
>> Johan
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: grimm26_at_gmail.com [mailto:grimm26_at_gmail.com] Namens Mark Keisler
>> > Verzonden: zondag 24 januari 2010 20:05
>> > Aan: Johan Corveleyn
>> > CC: info_at_pablorizzo.com; users_at_subversion.tigris.org
>> > Onderwerp: Re: How to authenticate Subversion with SASL2 + LDAP
>> >
>> > On Mon, Jun 15, 2009 at 9:36 AM, Johan Corveleyn
>> > <johan.corveleyn_at_uz.kuleuven.ac.be> wrote:
>> > > -----Oorspronkelijk bericht-----
>> > > Van: rizzopablo_at_gmail.com [mailto:rizzopablo_at_gmail.com] Namens Pablo
>> > > Manuel Rizzo
>> > > Verzonden: donderdag 11 juni 2009 16:15
>> > > Aan: users_at_subversion.tigris.org
>> > > Onderwerp: Re: How to authenticate Subversion with SASL2 + LDAP
>> > >
>> > > On Thu, Jun 11, 2009 at 11:03, Stefan Sperling <stsp_at_elego.de> wrote:
>> > >
>> > >
>> > > On Thu, Jun 11, 2009 at 10:43:13AM -0300, Pablo Manuel Rizzo
>> > > wrote:
>> > > > Hey Andrey, first you say it's not possible, now you say
>> > > it's all there.
>> > > > Is something wrong with you?
>> > >
>> > >
>> > > I'd say he just didn't know that SASL auth was added to
>> svnserve.
>> > > It's a new feature.
>> > >
>> > >
>> > > > Does anybody know how to use sasl to authenticate
>> subversion
>> > > with ldap?
>> > >
>> > >
>> > > The book suggests that you read the SASL documentation to
>> > > find out how to configure a given authentication scheme.
>> > > Have you read this part of the svnbook?
>> > >
>> > > I quote http://svnbook.red-
>> > >
>> bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svn
>> > > serve.sasl
>> > >
>> > > Because SASL provides so many different kinds of authentication
>> > > mechanisms, it
>> > > would be foolish (and far beyond the scope of this book) to try
>> > > to describe
>> > > every possible server-side configuration. Instead, we recommend
>> > > that you read
>> > > the documentation supplied in the doc/ subdirectory of the SASL
>> > > source code. It
>> > > goes into great detail about every mechanism and how to
>> > > configure the server
>> > > appropriately for each.
>> > >
>> > > Have you tried that?
>> > >
>> > >
>> > >
>> > > Yes, sasl documentation is quite poor, there are no quick tips or how
>> > > tos. I see many people in this list and many others and forums is
>> > > looking for a quick how-to too. If someone in this list was able to
>> > > make it work and is willing to share how, it would be very nice and
>> > > usefull to publish this information somewhere.
>> > >
>> > SASL documentation is indeed very poor, and certainly when you're trying
>> to
>> > focus on use of LDAP with svnserve. You have to learn all about the
>> different
>> > password exchange mechanisms (plain, md5-digest, cram-digest, ...)
>> figuring
>> > out all about saslauthd and other stuff, while all you want to know is:
>> where
>> > do I configure the LDAP server, bind dn and bind password and stuff like
>> that
>> > (like with Apache + LDAP).
>> >
>> > Short answer: it's not possible, unless you apply a specific patch and
>> build
>> > svn server from source. See e.g. http://svn.haxx.se/dev/archive-2008-
>> > 01/0719.shtml. I haven't tried it myself though (can't compile from
>> source).
>> >
>> > The reason why it's not possible, despite what the documentation of SVN
>> says?
>> > Read the "Known Issues" in
>> > http://svn.collab.net/repos/svn/trunk/notes/sasl.txt:
>> > -----
>> > ...
>> > As a consequence, you won't be able to use the saslauthd daemon to
>> > authenticate users, because that method only works with plain text
>> passwords.
>> > -----
>> > And it just so happens that LDAP authentication only works with
>> saslauthd
>> > (and plain text passwords).
>> >
>> > This was one of my major frustrations when trying to get SVN up and
>> running
>> > for the first time. We wanted to go for svnserve to get the last drop of
>> > performance out of it (and seemingly simple to set up). I lost days and
>> days
>> > looking for a solution, why it wouldn't work despite following carefully
>> the
>> > SASL instructions, ... until I found that "known issue" in the sasl.txt
>> file.
>> > In the end we switched to Apache just for this (I have not regretted it,
>> but
>> > just the time I lost with that ... I would have liked to have known this
>> > beforehand).
>> >
>> > The SVN devs could do current and future SVN users, administrators, ...
>> a big
>> > service by clearly documenting this! Please put this in big bold letters
>> in
>> > the book: svnserve + SASL + LDAP is not supported. Don't let people work
>> on
>> > this assumption until they find the small print in that sasl.txt file.
>> Please
>> > don't act in the book like all the SASL mechanisms are supported,
>> because
>> > they clearly are not.
>> >
>> > And if it ever would be supported: please provide a simple example in
>> the
>> > book for getting this up and running.
>> >
>> > Kind regards,
>> > Johan
>> >
>>
>> Sorry to revive an old thread, but can you use SASL auth with pam backend
>> and
>> use pam_ldap? Personally, I alerady use pam_ldap for auth on my server
>> (which also helps support svn+ssh for those that don't use keys).
>>
>
>
>
> --
> Pablo Manuel Rizzo
> -------------------------------
> http://pablorizzo.com
> -------------------------------
>
>
Received on 2010-01-25 14:16:16 CET

This is an archived mail posted to the Subversion Users mailing list.