[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve and ldap status ?

From: Remi <rverchere_at_gmail.com>
Date: Tue, 23 Mar 2010 14:44:55 +0100

2010/3/23 Johan Corveleyn <jcorvel_at_gmail.com>

> On Tue, Mar 23, 2010 at 1:09 PM, Stefan Sperling <stsp_at_elego.de> wrote:
> > On Tue, Mar 23, 2010 at 01:00:09PM +0100, Remi wrote:
> >> Hi everyone,
> >>
> >> I'm trying to set up svnserve to work with ldap using sasl. But actually
> it
> >> can't get it work.
> >>
> >> Since svn 1.6.5, svnserve should work with sasl. From
> >> http://svn.apache.org/repos/asf/subversion/tags/1.6.5/CHANGES, I read :
> >> * allow PLAIN and LOGIN mechanisms with SASL in svnserve (r38205)
> >>
> >> I've read many things about ldap/sasl/svnserve on the network, but I
> cannot
> >> find a correct configuration.
> >>
> >> 1) saslauth (using config file /etc/saslauthd.conf).
> >> My saslauth config is correct, as I can use testsaslauthd successfully
> >>
> >> 2) svnserve
> >> Here is my config files for svn serve to work with sasl :
> >>
> >> 2.a) svnserve.conf
> >> anon-access = none
> >> auth-access = write
> >> [sasl]
> >> use-sasl = true
> >>
> >> 2.b) /usr/lib/sasl2/svn.conf
> >> sasl_pwcheck_method: auxprop
> >> auxprop_plugin: sasldb
> >> mech_list: LOGIN
> >>
> >> When I try to checkout files, I get this error :
> >> svn: Authentication error from server: SASL(-13): user not found:
> checkpass
> >> failed
> >>
> >> When I change mech_list to PLAIN, I get this error :
> >> svn: Authentication error from server: SASL(-13): user not found:
> Password
> >> verification failed
> >>
> >>
> >> Does anyone set up this kind of configuration successfully ? Please say
> yes
> >> and provide config ;)
> >
> > Thanks for trying.
> >
> > The developer who did the SASL stuff isn't active anymore.
> > I have not seen a single person who got it to work yet, and I haven't
> > tried setting it up myself. I made the PLAIN/LOGIN change you quoted
> > above, knowing that this is required for interaction with saslauthd.
> > I was hoping that this change would allow someone out there to
> > get a working configuration figured out and share it.
> > Maybe that someone is you? :)
>
> [ Yes, I remember that you made that change (following some
> mailinglist discussion I was involved in). I also remember that I
> promised to "contribute the necessary documentation changes", but I
> never got around to that. Sorry. Main problem was that we had moved on
> to Apache, and I'd have to start again from scratch (and that I didn't
> want to harass my sysadmin again for a while, because he'd been so
> helpful during the entire svn installation). And I didn't want to take
> the risk to write something down without actually testing it :). ]
>
> Anyway, I think your /usr/lib/sasl2/svn.conf file is incorrect. It
> should definitely not refer to sasldb (that's the db version of sasl
> authentication), and probably also not use an "auxprop". That's the
> example config from the svn book, no? I think that's for when you're
> working with "shared secrets", i.e. you have a database on the server
> side (sasldb) which contains the user passwords. That's almost the
> same as using the standard passwd database from svnserve (with
> htpasswd obfuscated passwords).
>
> If memory serves me correctly, for LDAP with saslauthd it should be
> something like this:
> sasl_pwcheck_method: saslauthd
> mech_list: PLAIN
>
> (Or maybe LOGIN instead of PLAIN, i'm not sure. I think you can also
> just omit the mech_list, or list multiple "mechanisms", to have client
> and server "negotiate" which mechanism they are going to use.)
>
> That's more or less what you can deduce from reading the file
> sysadmin.html from the cyrus-sasl documentation directory (should be
> somewhere on your system where you've installed SASL).
>
> You do realize that the user passwords will be sent in plain text over
> the wire, don't you (unless you've put in place some other layer of
> encryption, like a VPN or somesuch)?
>
> Like Stefan said: I hope you can get it to work, and share it once
> you've figured it out :).
>
> --
> Johan
>

Thanks for your help, so I conclude I'm the good person to test these
changes ;)

Concerning the svn.conf file, I changed the check method to saslauthd,
removed auxprop. My config file is pasted from the sasl svn notes.
But same result here (Password verification failed).

I'm new to sasl mechanism, so I try many configs. Does anyone know where I
can see some debug messages (I do not see logs in /var/log/messages).

I'm available for any suggestions/tests.

I've also found a patch to use svnserve directly with ldap (
http://svn.haxx.se/dev/archive-2008-01/0719.shtml). Why this one as not been
included in svnserve ?

Remi
Received on 2010-03-23 14:45:27 CET

This is an archived mail posted to the Subversion Users mailing list.