[PATCH] svnserve does not work with LDAP
stsp at elego.de
Thu Jun 25 18:49:26 CDT 2009
On Mon, Jun 15, 2009 at 05:36:31PM +0100, Stefan Sperling wrote:
> Bad news, everyone,
> please see http://svn.haxx.se/users/archive-2009-06/0536.shtml
> Vlad, can you confirm this?
> The book has apparently been misguiding people.
> I think the book's authors simply weren't aware of the issue.
> Is the patch below OK to commit?
Forget about this patch.
I've fixed this another way in Subversion's r38205.
> There's one remaining section where the text suggests that LDAP
> does work with svnserve, namely the documentation of username aliases
> in svnserve.conf. I didn't change that, hoping that we'll eventually
> get TLS support for svn. However, we might want to change the wording
> of that section a bit, too.
> * src/en/book/ch06-server-configuration.xml
> svn.serverconfig.svnserve.sasl): Stop suggesting that LDAP
> authentication works with svnserve, because it is not
> actually supported. Based on description of known issues
> in notes/sasl.txt in the Subversion source tree.
> Index: src/en/book/ch06-server-configuration.xml
> --- src/en/book/ch06-server-configuration.xml (revision 3523)
> +++ src/en/book/ch06-server-configuration.xml (working copy)
> @@ -88,8 +88,10 @@
> <entry>Authentication options</entry>
> <entry>HTTP(S) basic auth, X.509 certificates, LDAP, NTLM, or
> any other mechanism available to Apache httpd</entry>
> - <entry>CRAM-MD5 by default; LDAP, NTLM, or any other mechanism
> - available to SASL</entry>
> + <entry>CRAM-MD5 by default; other mechanisms available to SASL
> + except those which require passwords sent over the network
> + in plain text, and as a consequence those which require
> + saslauthd</entry>
> @@ -98,7 +100,7 @@
> <entry>Private 'users' file, or other mechanisms
> available to Apache httpd (LDAP, SQL, etc.)</entry>
> <entry>Private 'users' file, or other mechanisms available
> - to SASL (LDAP, SQL, etc.)</entry>
> + to SASL (e.g. SQL)</entry>
> <entry>System accounts</entry>
> @@ -999,10 +1001,23 @@ authz-db = authzfile
> that you read the documentation supplied in the
> <filename>doc/</filename> subdirectory of the SASL source
> code. It goes into great detail about every mechanism and
> - how to configure the server appropriately for each. For the
> - purposes of this discussion, we'll just demonstrate a simple
> - example of configuring the DIGEST-MD5 mechanism. For
> - example, if your <filename>subversion.conf</filename>
> + how to configure the server appropriately for each.</para>
> + <warning>
> + <para>Cyrus SASL has two authentication mechanisms, PLAIN and LOGIN,
> + that send the password over the network in plain text.
> + This would be fine if the transmission medium was already
> + encrypted with TLS (Transport Layer Security).
> + However, the svn:// protocol does not support TLS yet, so both
> + these mechanisms are currently disabled in both the client and
> + the server. As a consequence, you won't be able to use the
> + saslauthd daemon to authenticate users, because that method
> + only works with plain text passwords.</para></warning>
> + <para>
> + For the purposes of this discussion, we'll just demonstrate
> + a simple example of configuring the DIGEST-MD5 mechanism.
> + For example, if your <filename>subversion.conf</filename>
> (or <filename>svn.conf</filename>) file contains the
> @@ -1040,9 +1055,8 @@ $ saslpasswd2 -c -f /etc/my_sasldb -u realm userna
> <para>This is just one simple way of configuring SASL. Many
> other authentication mechanisms are available, and passwords
> - can be stored in other places such as in LDAP or a SQL
> - database. Consult the full SASL documentation for
> - details.</para>
> + can be stored in other places such as in an SQL database.
> + Consult the full SASL documentation for details.</para>
> <para>Remember that if you configure your server to only allow
> certain SASL authentication mechanisms, this forces all
> svnbook-dev mailing list
> svnbook-dev at red-bean.com
More information about the svnbook-dev