> > Remi: I got this working on a test instance this morning. Do heed > warnings from others about how this is all clear-text (passwords > easily sniffiable on the wire) authentication. > > 1. Configure svnserve.conf. I believe you have this correct: > > use-sasl = true > > 2. Configure svn's sasl configuration in $SASLCONFDIRDIR/svn.conf. I > believe you said yours is in /usr/lib/sasl2 or someplace like that > I should look like this: > > mech_list: PLAIN > pwcheck_method: saslauthd > > I believe you had sasl_pwcheck_method, which is incorrect. > > 3. Configure saslauthd.conf. The location of this seems to be a > little mystical (which I was stuck on for a while). I figured it > out using strace but using strings `which saslauthd` is probably > easier. Anyway, when you figure out where it is (mine's at > /etc/saslauthd.conf) it should contain: > > ldap_servers: ldap://ldapserver/ > ldap_search_base: dc=yourdomain,dc=com > > saslauthd.conf is pretty thoroughly documented in the cyrus sasl > source tarball in the file salauthd/LDAP_SASLAUTHD. There are > lots of options in here. > > > 4. Start saslauthd: > > root# saslauthd -a ldap -d > > 5. Test with testsaslauthd: > > you% testsaslauthd -u someuser -p somepassword > > 6. Start svnserve: > > you% svnserve -X -r /your/svn/repository > > 7. Test svn: > > you% svn info svn://youhost/ > > Try someuser and somepassword from above. > > Hope that helps. Note also that saslauthd is a password-checking > engine, so you should take steps to avoid malicious people from > using it to try to brute-force passwords. > > The security of all of this is really weak if you're not using SSL > or GSSAPI binds for LDAP and there's nothing you can do about the > cleartext passwords for svnserve protocol. If you want something > that keeps your passwords safe, you should really be using svn+ssh, > svnserve with GSSAPI authentication (which is also very > ldap-friendly if you have your kerberos database in your ldap > directory), or anything you like over https. > > -- > alec.kl...@oracle.com Oracle Middleware > PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14 >
Great ! We made some progress! svnserve basically works with this configuration! Thanks! I had to configure correctly the /usr/lib/sasl2/svn.conf file AND start svnserve as root. When I have a 100% working configuration, I'll post it here. So now, why do I have to run svnserve as root to enable sasl ? (same issue with testsaslauthd) Regards, Remi ps: sorry, I've sent previous e-mail only to Alec
