Package: subversion
Version: 1.6.17dfsg-4+deb7u3
After upgrading a server from Squeeze to Wheezy, the SASL authentication
for svnserve using saslauthd and LDAP is no longer working. I've tried
connecting with both a Squeeze (1.6.12dfsg-6) subversion client and a
Wheezy (1.6.17dfsg-4+deb7u3) subversion client with the same results (it
just prompts for the username/password over and over).
For testing, I ran the saslauthd daemon in debug mode and used the
testsaslauthd program to test it. This appears to authenticate (and
deny) correctly.
# testsaslauthd -u user1 -p password
0: OK "Success."
# testsaslauthd -u user1 -p badpassword
0: NO "authentication failed"
saslauthd output:
saslauthd[27403] :rel_accept_lock : released accept lock
saslauthd[27403] :cache_get_rlock : attempting a read lock on slot: 95
saslauthd[27404] :get_accept_lock : acquired accept lock
saslauthd[27403] :cache_lookup : [login=user1] [service=]
[realm=imap]: not found, update pending
saslauthd[27403] :cache_un_lock : attempting to release lock on slot: 95
saslauthd[27403] :cache_get_wlock : attempting a write lock on slot: 95
saslauthd[27403] :cache_commit : lookup committed
saslauthd[27403] :cache_un_lock : attempting to release lock on slot: 95
saslauthd[27403] :do_auth : auth success: [user=user1]
[service=imap] [realm=] [mech=ldap]
saslauthd[27403] :do_request : response: OK
saslauthd[27404] :rel_accept_lock : released accept lock
saslauthd[27404] :cache_get_rlock : attempting a read lock on slot: 95
saslauthd[27404] :cache_lookup : [login=user1] [service=]
[realm=imap]: found with invalid passwd, update pending
saslauthd[27405] :get_accept_lock : acquired accept lock
saslauthd[27404] :cache_un_lock : attempting to release lock on slot: 95
saslauthd[27404] :do_auth : auth failure: [user=user1]
[service=imap] [realm=] [mech=ldap] [reason=Unknown]
saslauthd[27404] :do_request : response: NO
When I run the svnserve daemon in "debug" mode and test using the svn
client, I don't get any additional information as to why it failed. I
also don't see ANY additional output from saslauthd, so it seems like
svnserve is not even trying to authenticate using saslauthd.
Debug command (with no output):
/usr/bin/svnserve -d -r /var/lib/svn --foreground
I do see the following entries in /var/log/auth.log:
Jun 19 10:48:04 server1 svnserve: DIGEST-MD5 common mech free
Jun 19 10:48:41 server1 svnserve: DIGEST-MD5 common mech free
It's almost like it's not allowing the auth mechanisms that saslauthd
requires (PLAIN and LOGIN). I never saw any log entries for svnserve
under Squeeze.
Here are the config file contents using the most simplified setup I can
come up with (no extra library layers like SSL):
------------------------------------------------------------
/var/lib/svn/conf/svnserve.conf
------------------------------------------------------------
[general]
anon-access = none
realm = Subversion Repository
[sasl]
use-sasl = true
------------------------------------------------------------
------------------------------------------------------------
/etc/saslauthd.conf
------------------------------------------------------------
ldap_servers: ldap://ldap.example.com
ldap_default_domain: example.com
ldap_search_base: dc=example,dc=com
ldap_bind_dn: cn=readonly,dc=example,dc=com
ldap_bind_pw: PW_HERE
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind
ldap_filter: uid=%u
ldap_password_attr: userPassword
ldap_timeout: 5
ldap_cache_ttl: 30
ldap_cache_mem: 32768
------------------------------------------------------------
------------------------------------------------------------
/usr/lib/sasl2/svn.conf
------------------------------------------------------------
pwcheck_method: saslauthd
auxprop_plugin: ldap
mech_list: PLAIN LOGIN
# this is used just to prevent a warning in the logs. The
# real settings are in /etc/saslauthd.conf
ldapdb_uri: ldap://ldap.example.com
------------------------------------------------------------
------------------------------------------------------------
/etc/default/saslauthd
------------------------------------------------------------
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"
------------------------------------------------------------
Thanks.
--
Justin Pasher
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org