svnserve+sasl+ldap : saslauthd not contacted?
Solution 1:
Solution: I attached a debugger and stepped through the authentication. Turns out I had two problems: Permissions on /var/log/saslauthd:
drwx--x--- 2 root sasl 140 Sep 27 09:44 saslauthd
means the "subversion" server user needs to be part of group sasl.
The second one is more complicated: DIGEST-MD5 relies on plain text passwords to calculate a hash on the server side. My LDAP directory stores SSHA encrypted passwords, so the server could never compare the MD5 from the client with a MD5 computed locally. I guess the directory could store MD5(username:realm:password), but I'm not sure if this is supported in sasl, and how you would manage that if you have several realms.
I don't really want to store plain text passwords, so for now the solution is to only use unencryped authentication:
# cat /etc/sasl2/svn.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
Not a perfect solution, but it seems to work for now. I think I'll enforce ssh+svn for external access, and maybe I'll invest some time into TLS support for svnserve.
(This would've been much less time consuming with a few more diagnostic options, and better documentation.)