Svn authorizing over sasl+ldap failing after Ubuntu update 10.04 -> 12.04
I have working svnserve solution on Ubuntu 10.04 for authorizing svn users over SASL to Active directory (LDAP, not LDAPDB). Config files are at the bottom.
After upgrading server to 12.04 release, this does not work anymore. I can authorize user over SASL to LDAP with
testsaslauthd -u ldap_username -p his_password
=> 0: OK "Success."
But when i try to "svn update" on folder at the same server, it ask me three times for credentials and end with
svn: Authentication error from server: SASL(-4): no mechanism available:
I do not know how to track communication between svn and sasl.
Circumstances:
- Ubuntu 10.04 + subversion 1.6.6 (with Cirrus SASL support) => working
- Ubuntu 12.04 + subversion 1.6.17 (with Cirrus SASL support) => not working (with same configuration)
file /usr/lib/sasl2/svn.conf
pwcheck_method: saslauthd
auxprop_plugin: ldap
mech_list: PLAIN
file /usr/lib/sasl2/subversion.conf -> symlink to /usr/lib/sasl2/svn.conf
file /opt/svn/repos/conf/svnserve.conf
[general]
anon-access = none
auth-access = write
#password-db = passwd
authz-db = authz
realm = smartsvn
[sasl]
use-sasl = true
min-encryption = 0
max-encryption = 256
Any idea, how to fixit or trace the problem?
Solution 1:
Had the same problems like above only on debian squeeze after a dist-upgrade. After hours of config, restart and reinstalling madness I gave following "svn.conf" a try:
pwcheck_method: saslauthd
#auxprop_plugin: ldap
mech_list: plain login cram-md5 digest-md5
IMO, "mech_list: plain" should be enough. the other mechs are overlefts from previous tryouts.
Here is my /etc/saslauthd.conf
ldap_servers: ldap://xxx.xxx.xxx.xxx
ldap_use_sasl:no
ldap_search_base: DC=domain,DC=tdl
ldap_bind_dn: [email protected]
ldap_bind_pw: magic_word:)
ldap_mech: PLAIN
ldap_auth_method: bind
ldap_filter: (sAMAccountName=%U)
log_level: 7
And here my /etc/default/saslauthd
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
Update Dez 14:
Today I had the same issue again after an svnserve upgrade (r1615264):
I had to add the following to the svn.conf:
ldapdb_uri: ldap://myldadphost.tld
Don´t ask me why, I just tried it, because three or four years ago the param was already (with other ldap params) in the svn.conf...
Solution 2:
(1) In /etc/sasl2/svn.conf you can set a log level for saslauthd like:
log_level: 7
In sasl.h I found:
#define SASL_LOG_NONE 0 /* don't log anything */
#define SASL_LOG_ERR 1 /* log unusual errors (default) */
#define SASL_LOG_FAIL 2 /* log all authentication failures */
#define SASL_LOG_WARN 3 /* log non-fatal warnings */
#define SASL_LOG_NOTE 4 /* more verbose than LOG_WARN */
#define SASL_LOG_DEBUG 5 /* more verbose than LOG_NOTE */
#define SASL_LOG_TRACE 6 /* traces of internal protocols */
#define SASL_LOG_PASS 7 /* traces of internal protocols, including passwords */
It seems it logs to /var/log/auth.log.
I have almost the same problem (migrating from Ubuntu 11.04 to 12.04) and get in auth.log:
svnserve: could not find auxprop plugin, was searching for 'ldap'
Interestingly, the log says "svnserve" and not saslauthd. Which lead me to ...
(2) You could try
ldd /usr/bin/svnserve
For me, the working server (Ubuntu 11.04) shows:
libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2
but the failing server (12.04) does not.
Solution 3:
Try changeing configuration to your /usr/lib/sasl2/svn.conf config file (SVN sasl configuration):
auxprop_plugin: ldapdb
mech_list: PLAIN
ldapdb_mech: PLAIN
saslauthd_path: /var/run/saslauthd/mux
ldapdb_uri: <address of your ldap server (ldap://hostname)>