svnserve+sasl+ldap : saslauthd not contacted?

ldap saslauthd svnserve

Solution 1:

Solution: I attached a debugger and stepped through the authentication. Turns out I had two problems: Permissions on /var/log/saslauthd:

drwx--x---  2 root        sasl         140 Sep 27 09:44 saslauthd

means the "subversion" server user needs to be part of group sasl.

The second one is more complicated: DIGEST-MD5 relies on plain text passwords to calculate a hash on the server side. My LDAP directory stores SSHA encrypted passwords, so the server could never compare the MD5 from the client with a MD5 computed locally. I guess the directory could store MD5(username:realm:password), but I'm not sure if this is supported in sasl, and how you would manage that if you have several realms.

I don't really want to store plain text passwords, so for now the solution is to only use unencryped authentication:

# cat /etc/sasl2/svn.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Not a perfect solution, but it seems to work for now. I think I'll enforce ssh+svn for external access, and maybe I'll invest some time into TLS support for svnserve.

(This would've been much less time consuming with a few more diagnostic options, and better documentation.)

Related

Server 2012 R2 Exchange 2013 Handle Leak
Whitelisting outgoing traffic from docker containers
PHP unable to mail() in chroot though I can use sendmail inside chroot
Server 2012 R2 unexpected crash DRIVER_IRQL_NOT_LESS_OR_EQUAL
Why does Windows Server 2012 R2 Standard edition show only 20% of my available memory?
Kerberos with OpenLDAP backend: Password Sync HowTo
How do companies handle the need for different Java requirements on the same user?
AWS Cloudwatch Agent not picking up changes
Unit polkitd.service is masked
10G issues centos6.7 juniper ex4500
How to change config file of nginx runing via docker
AWS EC2, Nginx SSL Issue