[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion authentication via SASL GSSAPI and likewise open

From: slaventii <xumuku_at_gmail.com>
Date: Thu, 26 Jul 2012 14:12:46 +0300

>Note: please reply in-line and, if at all possible, in _plain_ text, not html...
Sorry for this.

>As mentioned in one of the answers to your stackoverflow question (seeing
>as you insist on referencing it), svn 1.7 uses a new, faster protocol for
>mod_dav which you will be using by default if setting up a new repo and
>using up-to-date clients... Remember the version (1.4.5) benchmarked was
>released in 2007!

>Have you actually run any benchmark trials yourself comparing https and
>svnserve on your network? If your network is slow (not the server) then it
>may not actually matter which you use!

> ~ mark c

Thank you for suggestion. Will try to start some tests.
Our current SVN is: svn, version 1.5.4 (r33841) \ compiled Aug 7 2009, 01:44:11
On new and more powerful server we have: svn, version 1.6.17
(r1128011) \ compiled Dec 17 2011, 16:12:52
And will try to install latest release: 1.7.5 for tests on new server.

On Thu, Jul 26, 2012 at 12:21 PM, Cooke, Mark <mark.cooke_at_siemens.com> wrote:
>
>
> Note: please reply in-line and, if at all possible, in _plain_ text, not
> html...
>
> > On Thu, Jul 26, 2012 at 11:50 AM, Cooke, Mark
> > <mark.cooke_at_siemens.com> wrote:
> >
> > > On Thu, Jul 26, 2012 at 9:38 AM, Cooke, Mark
> > > <mark.cooke_at_siemens.com> wrote:
> > >
> > >
> > > > -----Original Message-----
> > > > From: xumuku [mailto:xumuku_at_gmail.com]
> > > > Sent: 25 July 2012 16:49
> > > > To: subversion_users_at_googlegroups.com
> > > > Cc: users_at_subversion.apache.org; xumuku_at_gmail.com
> > > > Subject: Re: Subversion authentication via
> > SASL GSSAPI and
> > > > likewise open
> > > >
> > > > My current /usr/lib/sasl2/svn.conf is:
> > > >
> > > > pwcheck_method: saslauthd
> > > > mech_list: GSSAPI
> > > > saslauthd_path: /var/run/saslauthd/mux
> > > > log_level: 7
> > > >
> > > > But I get the error:
> > > > Cannot negotiate authentication mechanism
> > > >
> > > > 1. Does *anyone* have Windows SVNServe
> > authenticating to
> > > > AD/Kerberos via SASL/GSSAPI?
> > > >
> > > <http://stackoverflow.com/questions/10407077/does-anyone-have-
> > > windows-svnserve-authenticating-to-ad-kerberos-via-sasl-gssap>
> > > > 2. Cannot negotiate authentication mechanism
> > > >
> > > <http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065
> > > &viewType=browseAll&dsMessageId=65725#messagefocus>
> > >
> > > No (sorry), we use https via apache and mod_ldap to
> > > authenticate against AD. I am interested to know why you
> > > think that is not secure enough (perhaps you have *nix
> > > clients storing plain text passwords?)
> > >
> > > ~ mark c
> > >
> > > Because it works only with PLAIN auth:
> >
> > Ah, ok, yes, I did say we use https. The server is
> > configured to redirect all http traffic to https (using
> > mod_ssl) and authentication then happens in that encrypted
> > environment (or am I being naïve here?)
> >
> > > tcpdump -ni eth0 -A src host 192.168.1.2 and tcp dst port 3690
> > >
> > >
> > > 17:10:10.488834 IP 192.168.1.2.59751 > 192.168.1.1.3690:
> > > Flags [P.], seq 145:184, ack 166, win 65115, length 39
> > > E..O.b@...."..@...@ .g.j....~...P..[....( PLAIN (
> > > 21:AHVzZXIAcGFzc3dvcmQ=
> > >
> > >
> > > http://www.opinionatedgeek.com/dotnet/tools/base64decode/ -
> > > and you can see my sername and password
> > >
> > >
> > > We already have Apache via mod_svn and mod_ldap but
> > it is very slow.
> >
> > What is very slow? I know we don't have many users and
> > are on an internal network but I have no issue with our speeds...
> >
> > ~ mark c
> >
> > -----Original Message-----
> > From: slaventii [mailto:xumuku_at_gmail.com]
> > Sent: 26 July 2012 09:58
> > To: Cooke, Mark
> > Cc: users_at_subversion.apache.org
> > Subject: Re: Subversion authentication via SASL GSSAPI and
> > likewise open
> >
> > >Ah, ok, yes, I did say we use https. The server is
> > configured to redirect all http traffic >to https (using
> > mod_ssl) and authentication then happens in that encrypted
> > >environment (or am I being naïve here?)
> > As I wrote we already have Apache with HTTPS. All is good
> > except speed.
>
> Sorry, I read the list, not links to other sites.
>
> > >What is very slow? I know we don't have many users and are
> > on an internal network >but I have no issue with our speeds...
> >
> > And this is not only our opinion - Svnserve VS mod_dav_svn
> > <http://stackoverflow.com/questions/502585/svnserve-vs-mod-dav-svn> .
> >
> > SVN + Apache - slow.
> > SVN + SASL-Ldap - insecure.
> > SVN + SASL-GSSAPI - in progress :)
>
> As mentioned in one of the answers to your stackoverflow question (seeing
> as you insist on referencing it), svn 1.7 uses a new, faster protocol for
> mod_dav which you will be using by default if setting up a new repo and
> using up-to-date clients... Remember the version (1.4.5) benchmarked was
> released in 2007!
>
> Have you actually run any benchmark trials yourself comparing https and
> svnserve on your network? If your network is slow (not the server) then it
> may not actually matter which you use!
>
> ~ mark c
Received on 2012-07-26 15:27:34 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.