[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve and ldap status ?

From: Alec Kloss <alec.kloss_at_oracle.com>
Date: 23 Mar 2010 10:39:56 -0500

On 2010-03-23 15:22, Stefan Sperling wrote:
> On Tue, Mar 23, 2010 at 02:44:55PM +0100, Remi wrote:
> > I've also found a patch to use svnserve directly with ldap (
> > http://svn.haxx.se/dev/archive-2008-01/0719.shtml). Why this one as not been
> > included in svnserve ?
>
> My guess is lack of developer competence regarding LDAP,
> which translates to lack of developer time (i.e. having enough
> time to learn enough about LDAP to understand the patch).
>
> Actually I think I've looked at that patch before but decided
> I wasn't competent enough to understand it and moved on.
>
> It's a bit unfortunate that most of our developers lack expertise in
> external authentication mechanisms Subversion is hooked up to.
> The reason is probably that our developers tend to focus on version control
> problems rather than system administration and security. There are so many
> problems to solve in version control already that patches like this get
> overlooked (or put aside for "some time later") easily.
>
> It would help to have a developer focused on authorisation mechanisms,
> the ones inside of Subversion as well as integration with external ones.
> Right now we have no such developer.
>
> Stefan
>

Stefan: I'm not trying to be snyde, but I've tried getting the SASL
cross-realm support in svnserve fixed in the past and not had
much success. It's a little demotivational.

Remi: I got this working on a test instance this morning. Do heed
warnings from others about how this is all clear-text (passwords
easily sniffiable on the wire) authentication.

1. Configure svnserve.conf. I believe you have this correct:

use-sasl = true

2. Configure svn's sasl configuration in $SASLCONFDIRDIR/svn.conf. I
believe you said yours is in /usr/lib/sasl2 or someplace like that
I should look like this:

mech_list: PLAIN
pwcheck_method: saslauthd

I believe you had sasl_pwcheck_method, which is incorrect.

3. Configure saslauthd.conf. The location of this seems to be a
little mystical (which I was stuck on for a while). I figured it
out using strace but using strings `which saslauthd` is probably
easier. Anyway, when you figure out where it is (mine's at
/etc/saslauthd.conf) it should contain:

ldap_servers: ldap://ldapserver/
ldap_search_base: dc=yourdomain,dc=com

saslauthd.conf is pretty thoroughly documented in the cyrus sasl
source tarball in the file salauthd/LDAP_SASLAUTHD. There are
lots of options in here.

4. Start saslauthd:

        root# saslauthd -a ldap -d

5. Test with testsaslauthd:
        
        you% testsaslauthd -u someuser -p somepassword

6. Start svnserve:

        you% svnserve -X -r /your/svn/repository

7. Test svn:

        you% svn info svn://youhost/

Try someuser and somepassword from above.

Hope that helps. Note also that saslauthd is a password-checking
engine, so you should take steps to avoid malicious people from
using it to try to brute-force passwords.

The security of all of this is really weak if you're not using SSL
or GSSAPI binds for LDAP and there's nothing you can do about the
cleartext passwords for svnserve protocol. If you want something
that keeps your passwords safe, you should really be using svn+ssh,
svnserve with GSSAPI authentication (which is also very
ldap-friendly if you have your kerberos database in your ldap
directory), or anything you like over https.

-- 
Alec.Kloss_at_oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14

  • application/pgp-signature attachment: stored
Received on 2010-03-23 16:40:29 CET

This is an archived mail posted to the Subversion Users mailing list.