[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserv + ssh + ldap

From: Stefan Sperling <stsp_at_elego.de>
Date: Fri, 30 Jul 2010 16:40:37 +0200

On Fri, Jul 30, 2010 at 04:20:14PM +0200, Nils Wilhelm wrote:
> Hi there,
>
> Stefan Sperling wrote:
> >If I understood correctly, the question was about using Subversion
> >with SSH and LDAP.
> You're right.
>
> i have installed the server by using this tutorial
> http://jimmyg.org/blog/2007/subversion-over-svnssh-on-debian.html
> So what i have now is a subversion server and the ability to connect
> to it using ssh and private/public keys. So i have one system user
> that starts the svnserv process everytime a user connects and i can
> add new users by creating and adding just the private/public keys.
>
> So the question now is if it would be possible to use LDAP at all.
> What would be the advantage?

I don't know. Presumably you could use a fancy configuration
to make sshd retreive authorized_keys information from ldap?

A quick search suggests that this is only possible for passwords, though.
Check the UsePAM option of OpenSSH in the sshd_config man page.
With that scheme, your developers would have to enter their passwords
all the time (without having the option of saving them to disk, since
authentication is done by SSH, not Subversion).

Maybe another option is to authenticate via SSH using single-sign with
Kerberos, if that helps.

Or maybe you could periodically re-generate the authorized_keys file
on the Subversion server from data stored in ldap (generate a temporary
file, and upon success, move it into place)? That would be a crutch,
but similar schemes are used by several Subversion users to e.g. create
configuration files for path-based authorization within the repository
based on data in LDAP.

Stefan
Received on 2010-07-30 16:41:29 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.