Re: subversion, saslauthd, ldap and encryption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/01/12 15:44 +0200, Arnau Bria wrote:

This is my first e-mail in this list. My name is Arnau Bria and I live
in Barcelona (SPAIN). Let me say hi to everybody.
I have a problem with svn+saslauth+ldap. I think this is the correct
place for asking it cause the error is SASL related.

I had a svn server using sasldb file for
authentication and sasl for data encryption.
[general]
authz-db = authzfile
anon-access = none
realm = puppet

[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256

# cat /etc/sasl2/svn.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/my_sasldb
mech_list: DIGEST-MD5

It worked really fine.




SOCKETDIR=/var/run/saslauthd
MECH="ldap"
FLAGS=
START="yes"

#/usr/lib64/sasl2/svn.conf
pwcheck_method: saslauthd
auxprop_plugin: ldap
mech_list: PLAIN LOGIN
ldapdb_mech: PLAIN LOGIN


Works fine. this is a ldaps server, so data is encyrpted.

# testsaslauthd -u arnaubria  -p XXXXXXXX
0: OK "Success."

SVN works great too.

But, when I try to add sasl encryption to SVN:

[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256

svn give me the error :

svn: Could not obtain the list of SASL mechanisms


This result is not due to the fact that you are using the ldap saslauthd
backend, but because you are using PLAIN and LOGIN, which do not provide
network protection. See:

http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/mechanisms.php

And the 'Max SSF' column.

saslauthd requires the receipt of a plain text password for verification.
DISGEST-MD5 is not possible in this kind of set up.

If you can protect your subversion session with TLS, then that may suffice.

You could use the ldapdb auxprop plugin, instead of the saslauthd ldap
backend, to support DIGEST-MD5 and network protection.


From Subversion guide:

http://svnbook.red-bean.com/en/1.5/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sasl

that min/max-encyrption value encrypts data over the network, but then
ldap auth does not work.
What is happening when I add data encryption? why auth fails? (I have
a guess: when adding in-encryption auth is also encrypted and ldap does
not know how to reply... am I right?)

May I use SALA for network encrytption when doing auth thorugh ldap?


TIA,
Arnau



--
Dan White
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux