[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve and ldap status ?

From: Johan Corveleyn <jcorvel_at_gmail.com>
Date: Tue, 23 Mar 2010 14:20:36 +0100

On Tue, Mar 23, 2010 at 1:09 PM, Stefan Sperling <stsp_at_elego.de> wrote:
> On Tue, Mar 23, 2010 at 01:00:09PM +0100, Remi wrote:
>> Hi everyone,
>>
>> I'm trying to set up svnserve to work with ldap using sasl. But actually it
>> can't get it work.
>>
>> Since svn 1.6.5, svnserve should work with sasl. From
>> http://svn.apache.org/repos/asf/subversion/tags/1.6.5/CHANGES, I read :
>>  * allow PLAIN and LOGIN mechanisms with SASL in svnserve (r38205)
>>
>> I've read many things about ldap/sasl/svnserve on the network, but I cannot
>> find a correct configuration.
>>
>> 1) saslauth (using config file /etc/saslauthd.conf).
>> My saslauth config is correct, as I can use testsaslauthd successfully
>>
>> 2) svnserve
>> Here is my config files for svn serve to work with sasl :
>>
>> 2.a) svnserve.conf
>> anon-access = none
>> auth-access = write
>> [sasl]
>> use-sasl = true
>>
>> 2.b) /usr/lib/sasl2/svn.conf
>> sasl_pwcheck_method: auxprop
>> auxprop_plugin: sasldb
>> mech_list: LOGIN
>>
>> When I try to checkout files, I get this error :
>> svn: Authentication error from server: SASL(-13): user not found: checkpass
>> failed
>>
>> When I change mech_list to PLAIN, I get this error :
>> svn: Authentication error from server: SASL(-13): user not found: Password
>> verification failed
>>
>>
>> Does anyone set up this kind of configuration successfully ? Please say yes
>> and provide config ;)
>
> Thanks for trying.
>
> The developer who did the SASL stuff isn't active anymore.
> I have not seen a single person who got it to work yet, and I haven't
> tried setting it up myself. I made the PLAIN/LOGIN change you quoted
> above, knowing that this is required for interaction with saslauthd.
> I was hoping that this change would allow someone out there to
> get a working configuration figured out and share it.
> Maybe that someone is you? :)

[ Yes, I remember that you made that change (following some
mailinglist discussion I was involved in). I also remember that I
promised to "contribute the necessary documentation changes", but I
never got around to that. Sorry. Main problem was that we had moved on
to Apache, and I'd have to start again from scratch (and that I didn't
want to harass my sysadmin again for a while, because he'd been so
helpful during the entire svn installation). And I didn't want to take
the risk to write something down without actually testing it :). ]

Anyway, I think your /usr/lib/sasl2/svn.conf file is incorrect. It
should definitely not refer to sasldb (that's the db version of sasl
authentication), and probably also not use an "auxprop". That's the
example config from the svn book, no? I think that's for when you're
working with "shared secrets", i.e. you have a database on the server
side (sasldb) which contains the user passwords. That's almost the
same as using the standard passwd database from svnserve (with
htpasswd obfuscated passwords).

If memory serves me correctly, for LDAP with saslauthd it should be
something like this:
sasl_pwcheck_method: saslauthd
mech_list: PLAIN

(Or maybe LOGIN instead of PLAIN, i'm not sure. I think you can also
just omit the mech_list, or list multiple "mechanisms", to have client
and server "negotiate" which mechanism they are going to use.)

That's more or less what you can deduce from reading the file
sysadmin.html from the cyrus-sasl documentation directory (should be
somewhere on your system where you've installed SASL).

You do realize that the user passwords will be sent in plain text over
the wire, don't you (unless you've put in place some other layer of
encryption, like a VPN or somesuch)?

Like Stefan said: I hope you can get it to work, and share it once
you've figured it out :).

--
Johan
Received on 2010-03-23 14:21:07 CET

This is an archived mail posted to the Subversion Users mailing list.