[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SASL authentication with fallback to native passwd file

From: Mark Phippard <markphip_at_gmail.com>
Date: Fri, 3 May 2013 09:07:59 -0400

On Thu, May 2, 2013 at 7:35 PM, Os Tyler <otyler_at_ur.com> wrote:
> Thanks in advance for any help here.
>
> We're using svnserve and I've successfully implemented SASL authentication
> against our company Active Directory LDAP instance. And our windows and
> linux clients are successfully connecting.
>
> However the subversion client on our AS/400 servers does not support SASL.
>
> I was looking for a way to configure subversion so that if the SASL
> authentication failed, it would fall back to the native passwd file and if a
> user/pass match was found there, auth would succeed.
>
> I've searched the interwebs and the archives of this mailing list, but I'm
> not seeing that there is a way to accomplish this "SASL with fallback to
> native passwd file".
>
> Is there a way?

You could just run a second svnserve on a different port that was
using a username/password file instead of SASL.

That said, the issue is that if you are using the native AS/400 client
it is SVN 1.4 which was pre-SASL. However, it is still possible for
those SVN clients to work with svnserve SASL. You have to enable the
auth mechanisms on your server that are supported by these clients --
CRAM-MD5.

From: http://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt

5. Compatibility
================

  All 1.x clients, with or without Cyrus SASL support, will be able to
  authenticate against all 1.x servers that do not have Cyrus SASL enabled.
  Note that the CRAM-MD5 and ANONYMOUS mechanisms are actually built into
  Subversion, so you'll be able to use them even if the corresponding Cyrus
  SASL plugins are missing.

  1.x clients without Cyrus SASL support will be able to authenticate against
  1.5+ servers with SASL enabled, provided the server allows the CRAM-MD5
  and/or ANONYMOUS mechanisms.

  1.5+ clients with Cyrus SASL support will be able to authenticate against
  1.5+ servers with SASL enabled, provided at least one of the mechanisms
  supported by the server is also supported by the client.

So if your server enables CRAM-MD5 your client ought to be able to
login using LDAP username and password. That said, my understanding
is that for CRAM-MD5 to work, the server has to know your plaintext
password. If you are using LDAP, that would be unlikely. So you
would be back to running a second svnserve on another port. 

--
Thanks
Mark Phippard
http://markphip.blogspot.com/
Received on 2013-05-03 15:08:35 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.