[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve and ldap status ?

From: Remi <rverchere_at_gmail.com>
Date: Tue, 23 Mar 2010 17:14:01 +0100

>
> Remi: I got this working on a test instance this morning. Do heed
> warnings from others about how this is all clear-text (passwords
> easily sniffiable on the wire) authentication.
>
> 1. Configure svnserve.conf. I believe you have this correct:
>
> use-sasl = true
>
> 2. Configure svn's sasl configuration in $SASLCONFDIRDIR/svn.conf. I
> believe you said yours is in /usr/lib/sasl2 or someplace like that
> I should look like this:
>
> mech_list: PLAIN
> pwcheck_method: saslauthd
>
> I believe you had sasl_pwcheck_method, which is incorrect.
>
> 3. Configure saslauthd.conf. The location of this seems to be a
> little mystical (which I was stuck on for a while). I figured it
> out using strace but using strings `which saslauthd` is probably
> easier. Anyway, when you figure out where it is (mine's at
> /etc/saslauthd.conf) it should contain:
>
> ldap_servers: ldap://ldapserver/
> ldap_search_base: dc=yourdomain,dc=com
>
> saslauthd.conf is pretty thoroughly documented in the cyrus sasl
> source tarball in the file salauthd/LDAP_SASLAUTHD. There are
> lots of options in here.
>
>
> 4. Start saslauthd:
>
> root# saslauthd -a ldap -d
>
> 5. Test with testsaslauthd:
>
> you% testsaslauthd -u someuser -p somepassword
>
> 6. Start svnserve:
>
> you% svnserve -X -r /your/svn/repository
>
> 7. Test svn:
>
> you% svn info svn://youhost/
>
> Try someuser and somepassword from above.
>
> Hope that helps. Note also that saslauthd is a password-checking
> engine, so you should take steps to avoid malicious people from
> using it to try to brute-force passwords.
>
> The security of all of this is really weak if you're not using SSL
> or GSSAPI binds for LDAP and there's nothing you can do about the
> cleartext passwords for svnserve protocol. If you want something
> that keeps your passwords safe, you should really be using svn+ssh,
> svnserve with GSSAPI authentication (which is also very
> ldap-friendly if you have your kerberos database in your ldap
> directory), or anything you like over https.
>
> --
> Alec.Kloss_at_oracle.com Oracle Middleware
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14
>

Great ! We made some progress! svnserve basically works with this
configuration! Thanks!

I had to configure correctly the /usr/lib/sasl2/svn.conf file AND start
svnserve as root.

When I have a 100% working configuration, I'll post it here.

So now, why do I have to run svnserve as root to enable sasl ? (same issue
with testsaslauthd)

Regards,

Remi

ps: sorry, I've sent previous e-mail only to Alec
Received on 2010-03-23 17:14:31 CET

This is an archived mail posted to the Subversion Users mailing list.