On 2010-03-23 15:22, Stefan Sperling wrote: > On Tue, Mar 23, 2010 at 02:44:55PM +0100, Remi wrote: > > I've also found a patch to use svnserve directly with ldap ( > > http://svn.haxx.se/dev/archive-2008-01/0719.shtml). Why this one as not been > > included in svnserve ? > > My guess is lack of developer competence regarding LDAP, > which translates to lack of developer time (i.e. having enough > time to learn enough about LDAP to understand the patch). > > Actually I think I've looked at that patch before but decided > I wasn't competent enough to understand it and moved on. > > It's a bit unfortunate that most of our developers lack expertise in > external authentication mechanisms Subversion is hooked up to. > The reason is probably that our developers tend to focus on version control > problems rather than system administration and security. There are so many > problems to solve in version control already that patches like this get > overlooked (or put aside for "some time later") easily. > > It would help to have a developer focused on authorisation mechanisms, > the ones inside of Subversion as well as integration with external ones. > Right now we have no such developer. > > Stefan >
Stefan: I'm not trying to be snyde, but I've tried getting the SASL cross-realm support in svnserve fixed in the past and not had much success. It's a little demotivational. Remi: I got this working on a test instance this morning. Do heed warnings from others about how this is all clear-text (passwords easily sniffiable on the wire) authentication. 1. Configure svnserve.conf. I believe you have this correct: use-sasl = true 2. Configure svn's sasl configuration in $SASLCONFDIRDIR/svn.conf. I believe you said yours is in /usr/lib/sasl2 or someplace like that I should look like this: mech_list: PLAIN pwcheck_method: saslauthd I believe you had sasl_pwcheck_method, which is incorrect. 3. Configure saslauthd.conf. The location of this seems to be a little mystical (which I was stuck on for a while). I figured it out using strace but using strings `which saslauthd` is probably easier. Anyway, when you figure out where it is (mine's at /etc/saslauthd.conf) it should contain: ldap_servers: ldap://ldapserver/ ldap_search_base: dc=yourdomain,dc=com saslauthd.conf is pretty thoroughly documented in the cyrus sasl source tarball in the file salauthd/LDAP_SASLAUTHD. There are lots of options in here. 4. Start saslauthd: root# saslauthd -a ldap -d 5. Test with testsaslauthd: you% testsaslauthd -u someuser -p somepassword 6. Start svnserve: you% svnserve -X -r /your/svn/repository 7. Test svn: you% svn info svn://youhost/ Try someuser and somepassword from above. Hope that helps. Note also that saslauthd is a password-checking engine, so you should take steps to avoid malicious people from using it to try to brute-force passwords. The security of all of this is really weak if you're not using SSL or GSSAPI binds for LDAP and there's nothing you can do about the cleartext passwords for svnserve protocol. If you want something that keeps your passwords safe, you should really be using svn+ssh, svnserve with GSSAPI authentication (which is also very ldap-friendly if you have your kerberos database in your ldap directory), or anything you like over https. -- alec.kl...@oracle.com Oracle Middleware PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14
pgpLyF2AlzDc0.pgp
Description: PGP signature
