subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remi <rverch...@gmail.com>
Subject Re: svnserve and ldap status ?
Date Tue, 23 Mar 2010 16:14:01 GMT
>
> Remi: I got this working on a test instance this morning.  Do heed
> warnings from others about how this is all clear-text (passwords
> easily sniffiable on the wire) authentication.
>
> 1. Configure svnserve.conf.  I believe you have this correct:
>
> use-sasl = true
>
> 2. Configure svn's sasl configuration in $SASLCONFDIRDIR/svn.conf.  I
> believe you said yours is in /usr/lib/sasl2 or someplace like that
> I should look like this:
>
> mech_list: PLAIN
> pwcheck_method: saslauthd
>
> I believe you had sasl_pwcheck_method, which is incorrect.
>
> 3. Configure saslauthd.conf.  The location of this seems to be a
> little mystical (which I was stuck on for a while).  I figured it
> out using strace but using strings `which saslauthd` is probably
> easier.  Anyway, when you figure out where it is (mine's at
> /etc/saslauthd.conf) it should contain:
>
> ldap_servers: ldap://ldapserver/
> ldap_search_base: dc=yourdomain,dc=com
>
> saslauthd.conf is pretty thoroughly documented in the cyrus sasl
> source tarball in the file salauthd/LDAP_SASLAUTHD.  There are
> lots of options in here.
>
>
> 4. Start saslauthd:
>
>        root# saslauthd -a ldap -d
>
> 5. Test with testsaslauthd:
>
>        you% testsaslauthd -u someuser -p somepassword
>
> 6. Start svnserve:
>
>        you% svnserve -X -r /your/svn/repository
>
> 7. Test svn:
>
>        you% svn info svn://youhost/
>
> Try someuser and somepassword from above.
>
> Hope that helps.  Note also that saslauthd is a password-checking
> engine, so you should take steps to avoid malicious people from
> using it to try to brute-force passwords.
>
> The security of all of this is really weak if you're not using SSL
> or GSSAPI binds for LDAP and there's nothing you can do about the
> cleartext passwords for svnserve protocol.  If you want something
> that keeps your passwords safe, you should really be using svn+ssh,
> svnserve with GSSAPI authentication (which is also very
> ldap-friendly if you have your kerberos database in your ldap
> directory), or anything you like over https.
>
> --
> Alec.Kloss@oracle.com                   Oracle Middleware
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14
>

Great ! We made some progress! svnserve basically works with this
configuration! Thanks!

I had to configure correctly the /usr/lib/sasl2/svn.conf file AND start
svnserve as root.

When I have a 100% working configuration, I'll post it here.

So now, why do I have to run svnserve as root to enable sasl ? (same issue
with testsaslauthd)

Regards,

Remi

ps: sorry, I've sent previous e-mail only to Alec

Mime
View raw message