[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve and ldap status ?

From: Remi <rverchere_at_gmail.com>
Date: Tue, 23 Mar 2010 17:14:01 +0100

> Remi: I got this working on a test instance this morning. Do heed
> warnings from others about how this is all clear-text (passwords
> easily sniffiable on the wire) authentication.
> 1. Configure svnserve.conf. I believe you have this correct:
> use-sasl = true
> 2. Configure svn's sasl configuration in $SASLCONFDIRDIR/svn.conf. I
> believe you said yours is in /usr/lib/sasl2 or someplace like that
> I should look like this:
> mech_list: PLAIN
> pwcheck_method: saslauthd
> I believe you had sasl_pwcheck_method, which is incorrect.
> 3. Configure saslauthd.conf. The location of this seems to be a
> little mystical (which I was stuck on for a while). I figured it
> out using strace but using strings `which saslauthd` is probably
> easier. Anyway, when you figure out where it is (mine's at
> /etc/saslauthd.conf) it should contain:
> ldap_servers: ldap://ldapserver/
> ldap_search_base: dc=yourdomain,dc=com
> saslauthd.conf is pretty thoroughly documented in the cyrus sasl
> source tarball in the file salauthd/LDAP_SASLAUTHD. There are
> lots of options in here.
> 4. Start saslauthd:
> root# saslauthd -a ldap -d
> 5. Test with testsaslauthd:
> you% testsaslauthd -u someuser -p somepassword
> 6. Start svnserve:
> you% svnserve -X -r /your/svn/repository
> 7. Test svn:
> you% svn info svn://youhost/
> Try someuser and somepassword from above.
> Hope that helps. Note also that saslauthd is a password-checking
> engine, so you should take steps to avoid malicious people from
> using it to try to brute-force passwords.
> The security of all of this is really weak if you're not using SSL
> or GSSAPI binds for LDAP and there's nothing you can do about the
> cleartext passwords for svnserve protocol. If you want something
> that keeps your passwords safe, you should really be using svn+ssh,
> svnserve with GSSAPI authentication (which is also very
> ldap-friendly if you have your kerberos database in your ldap
> directory), or anything you like over https.
> --
> Alec.Kloss_at_oracle.com Oracle Middleware
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14

Great ! We made some progress! svnserve basically works with this
configuration! Thanks!

I had to configure correctly the /usr/lib/sasl2/svn.conf file AND start
svnserve as root.

When I have a 100% working configuration, I'll post it here.

So now, why do I have to run svnserve as root to enable sasl ? (same issue
with testsaslauthd)



ps: sorry, I've sent previous e-mail only to Alec
Received on 2010-03-23 17:14:31 CET

This is an archived mail posted to the Subversion Users mailing list.