I'm also using apache to authen svn against LDAP, but using apache (DAV) to access SVN is damn slow. I recommend my users to use svn+ssh but it would be much simpler (especially for windows users) to be able to use plain svn:// (which I currently do not support).
On Mon, Jan 25, 2010 at 6:02 AM, Pablo Manuel Rizzo <i...@pablorizzo.com>wrote: > I'm using apache to authenticate svn against ldap. > > > > > On Mon, Jan 25, 2010 at 05:50, Johan Corveleyn < > johan.corvel...@uz.kuleuven.ac.be> wrote: > >> [sending to users@subversion.apache.org, iso >> us...@subversion.tigris.org(which is closed)] >> >> Hi Mark, >> >> I'm sorry, I have no experience getting SASL to work with pam. But I >> remember having read some things about pam in the Cyrus SASL documentation >> pages (included with the distribution I think). So I suppose it should work. >> >> Maybe someone else on the (correct) subversion users list can help you? >> >> You could also have a look at the cyrus-sasl mailing list and/or archive: >> http://cyrusimap.web.cmu.edu/lists.html >> >> Regards, >> Johan >> >> > -----Oorspronkelijk bericht----- >> > Van: grim...@gmail.com [mailto:grim...@gmail.com] Namens Mark Keisler >> > Verzonden: zondag 24 januari 2010 20:05 >> > Aan: Johan Corveleyn >> > CC: i...@pablorizzo.com; us...@subversion.tigris.org >> > Onderwerp: Re: How to authenticate Subversion with SASL2 + LDAP >> > >> > On Mon, Jun 15, 2009 at 9:36 AM, Johan Corveleyn >> > <johan.corvel...@uz.kuleuven.ac.be> wrote: >> > > -----Oorspronkelijk bericht----- >> > > Van: rizzopa...@gmail.com [mailto:rizzopa...@gmail.com] Namens Pablo >> > > Manuel Rizzo >> > > Verzonden: donderdag 11 juni 2009 16:15 >> > > Aan: us...@subversion.tigris.org >> > > Onderwerp: Re: How to authenticate Subversion with SASL2 + LDAP >> > > >> > > On Thu, Jun 11, 2009 at 11:03, Stefan Sperling <s...@elego.de> wrote: >> > > >> > > >> > > On Thu, Jun 11, 2009 at 10:43:13AM -0300, Pablo Manuel Rizzo >> > > wrote: >> > > > Hey Andrey, first you say it's not possible, now you say >> > > it's all there. >> > > > Is something wrong with you? >> > > >> > > >> > > I'd say he just didn't know that SASL auth was added to >> svnserve. >> > > It's a new feature. >> > > >> > > >> > > > Does anybody know how to use sasl to authenticate >> subversion >> > > with ldap? >> > > >> > > >> > > The book suggests that you read the SASL documentation to >> > > find out how to configure a given authentication scheme. >> > > Have you read this part of the svnbook? >> > > >> > > I quote http://svnbook.red- >> > > >> bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svn >> > > serve.sasl >> > > >> > > Because SASL provides so many different kinds of authentication >> > > mechanisms, it >> > > would be foolish (and far beyond the scope of this book) to try >> > > to describe >> > > every possible server-side configuration. Instead, we recommend >> > > that you read >> > > the documentation supplied in the doc/ subdirectory of the SASL >> > > source code. It >> > > goes into great detail about every mechanism and how to >> > > configure the server >> > > appropriately for each. >> > > >> > > Have you tried that? >> > > >> > > >> > > >> > > Yes, sasl documentation is quite poor, there are no quick tips or how >> > > tos. I see many people in this list and many others and forums is >> > > looking for a quick how-to too. If someone in this list was able to >> > > make it work and is willing to share how, it would be very nice and >> > > usefull to publish this information somewhere. >> > > >> > SASL documentation is indeed very poor, and certainly when you're trying >> to >> > focus on use of LDAP with svnserve. You have to learn all about the >> different >> > password exchange mechanisms (plain, md5-digest, cram-digest, ...) >> figuring >> > out all about saslauthd and other stuff, while all you want to know is: >> where >> > do I configure the LDAP server, bind dn and bind password and stuff like >> that >> > (like with Apache + LDAP). >> > >> > Short answer: it's not possible, unless you apply a specific patch and >> build >> > svn server from source. See e.g. http://svn.haxx.se/dev/archive-2008- >> > 01/0719.shtml. I haven't tried it myself though (can't compile from >> source). >> > >> > The reason why it's not possible, despite what the documentation of SVN >> says? >> > Read the "Known Issues" in >> > http://svn.collab.net/repos/svn/trunk/notes/sasl.txt: >> > ----- >> > ... >> > As a consequence, you won't be able to use the saslauthd daemon to >> > authenticate users, because that method only works with plain text >> passwords. >> > ----- >> > And it just so happens that LDAP authentication only works with >> saslauthd >> > (and plain text passwords). >> > >> > This was one of my major frustrations when trying to get SVN up and >> running >> > for the first time. We wanted to go for svnserve to get the last drop of >> > performance out of it (and seemingly simple to set up). I lost days and >> days >> > looking for a solution, why it wouldn't work despite following carefully >> the >> > SASL instructions, ... until I found that "known issue" in the sasl.txt >> file. >> > In the end we switched to Apache just for this (I have not regretted it, >> but >> > just the time I lost with that ... I would have liked to have known this >> > beforehand). >> > >> > The SVN devs could do current and future SVN users, administrators, ... >> a big >> > service by clearly documenting this! Please put this in big bold letters >> in >> > the book: svnserve + SASL + LDAP is not supported. Don't let people work >> on >> > this assumption until they find the small print in that sasl.txt file. >> Please >> > don't act in the book like all the SASL mechanisms are supported, >> because >> > they clearly are not. >> > >> > And if it ever would be supported: please provide a simple example in >> the >> > book for getting this up and running. >> > >> > Kind regards, >> > Johan >> > >> >> Sorry to revive an old thread, but can you use SASL auth with pam backend >> and >> use pam_ldap? Personally, I alerady use pam_ldap for auth on my server >> (which also helps support svn+ssh for those that don't use keys). >> > > > > -- > Pablo Manuel Rizzo > ------------------------------- > http://pablorizzo.com > ------------------------------- > >