Sunday, March 8, 2015

SVN with LDAP authentication: Step 1

My work setup has got too many places that needs authentication. There has been six or seven logins and passwords I need to use constantly, so I have finally decided to spend some time to get LDAP working. I have wanted to do that for a while, but every time I looked at it, it looks pretty thick and complicated. It indeed is. There is very few documentations, and I found that there are fair amount of mistakes in them. So I am writing this down as a record, and also as a way to share my mistakes.


First, it is probably a good idea to read some introduction to LDAP. This 10-min tutorial is so thick that I am not sure it is actually helping. Later, I found one that is actually just a personal note, but is surprisingly clear and helpful. That is a must read for a quick understanding of what everything is there.

Svnserve with SASL

The first step is to setup svnserve with SASL. This is a well documented process, and easy to test to be sure that everything works. First of all, run svnserve to make sure that SASL is supported. I installed this on Debian 7.8.0 (March 2015), and the output is as below.

Two configuration files need to be modified. The first one is svnserve.conf. It is located at the "conf" directory of the repository to be served. The line of "use_sasl" need to be set true.

use-sasl = true

The second file is svn.conf for SASL. This is a little tricky, and not much information is available. I believe the svnserve will need to use SASL library to access authentication, and SASL library will load a configuration file for the application (which is svn in this case) in a known folder (which is /usr/lib/sasl2 in Debian). The file does not exist and will need to be created.

In this first step, I tried to use a password file that holds the username and password hash for SASL. This is so that I can first verify that svnserve is correctly working with SASL, and then later I will change that to use LDAP. For now, my svn.conf looks like following (in this first step).

pwcheck_method: auxprop
auxprop_plugin: sasldb
# you may use /etc/svn_sasldb here
sasldb_path: /path/db_name
mech_list: DIGEST-MD5

Then the password file can be created with the following command.
saslpasswd2 -f /path/db_name -c -u realmname username

Restart svnserve and test away. That is the first step.

No comments: