[PATCH] svnserve does not work with LDAP

Stefan Sperling stsp at elego.de
Thu Jun 25 18:49:26 CDT 2009 

On Mon, Jun 15, 2009 at 05:36:31PM +0100, Stefan Sperling wrote:
> Bad news, everyone,
> 
> please see http://svn.haxx.se/users/archive-2009-06/0536.shtml
> 
> Vlad, can you confirm this?
> 
> The book has apparently been misguiding people.
> I think the book's authors simply weren't aware of the issue.
> 
> Is the patch below OK to commit?

Forget about this patch.
I've fixed this another way in Subversion's r38205.

Stefan

> 
> There's one remaining section where the text suggests that LDAP
> does work with svnserve, namely the documentation of username aliases
> in svnserve.conf. I didn't change that, hoping that we'll eventually
> get TLS support for svn. However, we might want to change the wording
> of that section a bit, too.
> 
> Thanks,
> Stefan
> 
> [[[
> * src/en/book/ch06-server-configuration.xml
>   (svn.serverconfig.overview.tbl-1,
>    svn.serverconfig.svnserve.sasl): Stop suggesting that LDAP
>    authentication works with svnserve, because it is not
>    actually supported. Based on description of known issues
>    in notes/sasl.txt in the Subversion source tree.
> ]]]
> 
> Index: src/en/book/ch06-server-configuration.xml
> ===================================================================
> --- src/en/book/ch06-server-configuration.xml	(revision 3523)
> +++ src/en/book/ch06-server-configuration.xml	(working copy)
> @@ -88,8 +88,10 @@
>              <entry>Authentication options</entry>
>              <entry>HTTP(S) basic auth, X.509 certificates, LDAP, NTLM, or
>                any other mechanism available to Apache httpd</entry>
> -            <entry>CRAM-MD5 by default;  LDAP, NTLM, or any other mechanism
> -              available to SASL</entry>
> +            <entry>CRAM-MD5 by default; other mechanisms available to SASL
> +              except those which require passwords sent over the network
> +              in plain text, and as a consequence those which require
> +              saslauthd</entry>
>              <entry>SSH</entry>
>            </row>
>  
> @@ -98,7 +100,7 @@
>              <entry>Private 'users' file, or other mechanisms
>              available to Apache httpd (LDAP, SQL, etc.)</entry>
>              <entry>Private 'users' file, or other mechanisms available
> -              to SASL (LDAP, SQL, etc.)</entry>
> +              to SASL (e.g. SQL)</entry>
>              <entry>System accounts</entry>
>            </row>
>  
> @@ -999,10 +1001,23 @@ authz-db = authzfile
>            that you read the documentation supplied in the
>            <filename>doc/</filename> subdirectory of the SASL source
>            code.  It goes into great detail about every mechanism and
> -          how to configure the server appropriately for each.  For the
> -          purposes of this discussion, we'll just demonstrate a simple
> -          example of configuring the DIGEST-MD5 mechanism.  For
> -          example, if your <filename>subversion.conf</filename>
> +          how to configure the server appropriately for each.</para>
> +
> +        <warning>
> +          <para>Cyrus SASL has two authentication mechanisms, PLAIN and LOGIN,
> +            that send the password over the network in plain text.
> +            This would be fine if the transmission medium was already
> +            encrypted with TLS (Transport Layer Security).
> +            However, the svn:// protocol does not support TLS yet, so both
> +            these mechanisms are currently disabled in both the client and
> +            the server. As a consequence, you won't be able to use the
> +            saslauthd daemon to authenticate users, because that method
> +            only works with plain text passwords.</para></warning>
> +          
> +        <para>
> +          For the purposes of this discussion, we'll just demonstrate
> +          a simple example of configuring the DIGEST-MD5 mechanism.
> +          For example, if your <filename>subversion.conf</filename>
>            (or <filename>svn.conf</filename>) file contains the
>            following:</para>
>  
> @@ -1040,9 +1055,8 @@ $ saslpasswd2 -c -f /etc/my_sasldb -u realm userna
>  
>          <para>This is just one simple way of configuring SASL.  Many
>            other authentication mechanisms are available, and passwords
> -          can be stored in other places such as in LDAP or a SQL
> -          database.  Consult the full SASL documentation for
> -          details.</para>
> +          can be stored in other places such as in an SQL database.
> +          Consult the full SASL documentation for details.</para>
>  
>          <para>Remember that if you configure your server to only allow
>            certain SASL authentication mechanisms, this forces all
> 
> _______________________________________________
> svnbook-dev mailing list
> svnbook-dev at red-bean.com
> http://www.red-bean.com/mailman/listinfo/svnbook-dev

More information about the svnbook-dev mailing list