7

I'm trying to set up SVN to authenticate against an ActiveDirectory. I know this is possible if you set up SVN to be served using Apache, but doing so introduces too much overhead, and SVN runs too slow. From reading the SVN docs, it sounds like it should now be possible (since SASL was integrated into SVN in 1.5) to configure SVN to authenticate against ActiveDirectory without using Apache. Unfortunately the documentation from SVN and SASL is extremely generic, and lacks specifics to help get this working properly.

Has anyone gotten this working? It would be a huge help if you could provide some sample configuration files, or high-level steps to point myself (and likely others) in the right direction on this.

Ken Mason
  • 712
  • 2
  • 7
  • 16

4 Answers4

3

SVN with SASL enabled (on a Debian v7 box), using Active Directory (on another server)

note that I already setup samba and winbind, which included libsasl2-2 so also get the startup executable and svnserve and modules (needed for svn plain (or other) mechanism to work, which (just FYI) puts them in /usr/lib/x86_64-linux-gnu/sasl2/libplain.so):

sudo apt-get install sasl2-bin svnserve libsasl2-modules

sudo pico /etc/default/saslauthd

change START=no to START=yes, and MECHANISMS="pam" to MECHANISMS="ldap", and THREADS=0 (not 5), and remove the /var in front of /run from the last line so that it's OPTIONS="-c -m /run/saslauthd"; control x, y, enter

sudo pico /etc/saslauthd.conf

Add the following (note: you may need an "ou=folder" in front of the dc= series):

ldap_servers: ldap://hostname.of.server<br />
ldap_search_base: dc=hostname,dc=of,dc=server<br />
ldap_bind_dn: cn=usernamehere,dc=hostname,dc=of,dc=server<br />
ldap_bind_pw: password<br />
ldap_filter: samaccountname=%u<br />
sudo /etc/init.d/saslauthd start

Run sudo testsaslauthd -u usernamehere -p password to test the ldap setup and cat /var/log/auth.log to see log.

Add following lines to a file /usr/lib/sasl2/svn.conf:

pwcheck_method: saslauthd
mech_list: plain

Create repository:

mkdir /data
svnadmin create /data/repohere

assuming some sort of previous "svnadmin dump /data/repohere >/data/repohere.dump" svnadmin load /data/repohere 

pico /data/repohere/conf/svnserve.conf

uncomment (remove the leading pound and the leading space); and, modify anon-access and authz-db (and note that I put authz in /data so than my multiple repos share it):

anon-access = none<br />
auth-access = write<br />
authz-db = ../../authz<br />
use-sasl = true<br />
pico /data/authz

add the following:

[groups]<br />
whatever = username1,username2<br />
[/]<br />
@whatever = rw<br />

to schedule svnserve on startup (sorry, couldn't find one, so manually make one):

sudo cp /etc/init.d/skeleton /etc/init.d/svnserve
sudo chmod 755 /etc/init.d/svnserve
sudo update-rc.d svnserve defaults
sudo pico /etc/init.d/svnserve

change DESC to "subversion server", change NAME to "svnserve", take out the "s" in the "sbin" of DAEMON (to make it just /bin/), change DAEMON_ARGS to "-d -r /data --log-file /var/log.svn.log"

sudo /etc/init.d/svnserver start

test your favorite svn client (e.g. TortoiseSVN)!

zdenek
  • 21,428
  • 1
  • 12
  • 33
S Hunter Simpson
  • 129
  • 5
  • i'm trying to use `SASL` to authenticate against my active directory, any idea? https://stackoverflow.com/questions/36874163/sasl-ldap-authentication-failure – Gurkha Apr 29 '16 at 19:01
1

Run SVN on windows using VisualSVN Server

Zote
  • 5,343
  • 5
  • 41
  • 43
1

I found this post in one of the mailing lists. Next time I try to get this working I'm going to reference this information. I'll quote it below for reference.

I have just tried getting svnserve + SASL working on Windows, with help from Mark Phippard, and there are a few additions/corrections needed to the svn.serverconfig.svnserve.sasl section.

  1. You talk about the subversion.conf file, but on Windows at least it is called svn.conf.

  2. Under Windows the default name for the database file is sasldb2 located in C:\CMU. If you do not specify anything in svn.conf, this is where SASL will look for it when trying to authenticate for Subversion.

  3. However, you can specify the SASL database file to use by adding another line to svn.conf, of the form: sasldb_path: c:\svn_repository\sasldb That is, a file called sasldb in c:\svn_repository

  4. The registry keys could be better described: SearchPath - directory path containing the sasl*.dll plugins, e.g. saslCRAMMD5.dll (we're not talking about libsasl.dll here). ConfFile - directory path containing the svn.conf file. Note the inconsistency here: this is the directory containing the conf file, whereas the sasldb_path value in the conf file points to the database file itself, not its containing directory.

  5. When using saslpasswd2 on Windows, you need to specify the database file explicitly (don't think it will use c:\CMU\sasldb2 as a default), so a better example of the command line would be:

saslpasswd2 -c -f c:\svn_repository\sasldb -u realm username

  1. Windows users don't (usually) build their own programs - they have servants/developers to do that for them ;-) So where are they gonna get saslpasswd2 from? Open Collab Net have a convenient svn server installer which includes these programs, and even installs svnserve as a service. Might be worth a mention. Not sure what link you would provide as it only exists on the merge-tracking/Beta site at present.

Simon

jpierson
  • 16,435
  • 14
  • 105
  • 149
0

I think it's technically possible. See the link point 8.GSSAPI and microsoft technet article as well.

I've hands-on experience with SVN 1.6 + SASL as described here. It's works fine for us. So I think your biggest challenge is to "married" SASL and Active directory.

FoxyBOA
  • 5,788
  • 8
  • 48
  • 82