On Tue, Mar 23, 2010 at 1:09 PM, Stefan Sperling <s...@elego.de> wrote: > On Tue, Mar 23, 2010 at 01:00:09PM +0100, Remi wrote: >> Hi everyone, >> >> I'm trying to set up svnserve to work with ldap using sasl. But actually it >> can't get it work. >> >> Since svn 1.6.5, svnserve should work with sasl. From >> http://svn.apache.org/repos/asf/subversion/tags/1.6.5/CHANGES, I read : >> * allow PLAIN and LOGIN mechanisms with SASL in svnserve (r38205) >> >> I've read many things about ldap/sasl/svnserve on the network, but I cannot >> find a correct configuration. >> >> 1) saslauth (using config file /etc/saslauthd.conf). >> My saslauth config is correct, as I can use testsaslauthd successfully >> >> 2) svnserve >> Here is my config files for svn serve to work with sasl : >> >> 2.a) svnserve.conf >> anon-access = none >> auth-access = write >> [sasl] >> use-sasl = true >> >> 2.b) /usr/lib/sasl2/svn.conf >> sasl_pwcheck_method: auxprop >> auxprop_plugin: sasldb >> mech_list: LOGIN >> >> When I try to checkout files, I get this error : >> svn: Authentication error from server: SASL(-13): user not found: checkpass >> failed >> >> When I change mech_list to PLAIN, I get this error : >> svn: Authentication error from server: SASL(-13): user not found: Password >> verification failed >> >> >> Does anyone set up this kind of configuration successfully ? Please say yes >> and provide config ;) > > Thanks for trying. > > The developer who did the SASL stuff isn't active anymore. > I have not seen a single person who got it to work yet, and I haven't > tried setting it up myself. I made the PLAIN/LOGIN change you quoted > above, knowing that this is required for interaction with saslauthd. > I was hoping that this change would allow someone out there to > get a working configuration figured out and share it. > Maybe that someone is you? :)
[ Yes, I remember that you made that change (following some mailinglist discussion I was involved in). I also remember that I promised to "contribute the necessary documentation changes", but I never got around to that. Sorry. Main problem was that we had moved on to Apache, and I'd have to start again from scratch (and that I didn't want to harass my sysadmin again for a while, because he'd been so helpful during the entire svn installation). And I didn't want to take the risk to write something down without actually testing it :). ] Anyway, I think your /usr/lib/sasl2/svn.conf file is incorrect. It should definitely not refer to sasldb (that's the db version of sasl authentication), and probably also not use an "auxprop". That's the example config from the svn book, no? I think that's for when you're working with "shared secrets", i.e. you have a database on the server side (sasldb) which contains the user passwords. That's almost the same as using the standard passwd database from svnserve (with htpasswd obfuscated passwords). If memory serves me correctly, for LDAP with saslauthd it should be something like this: sasl_pwcheck_method: saslauthd mech_list: PLAIN (Or maybe LOGIN instead of PLAIN, i'm not sure. I think you can also just omit the mech_list, or list multiple "mechanisms", to have client and server "negotiate" which mechanism they are going to use.) That's more or less what you can deduce from reading the file sysadmin.html from the cyrus-sasl documentation directory (should be somewhere on your system where you've installed SASL). You do realize that the user passwords will be sent in plain text over the wire, don't you (unless you've put in place some other layer of encryption, like a VPN or somesuch)? Like Stefan said: I hope you can get it to work, and share it once you've figured it out :). -- Johan
