Sunday, March 15, 2015

SVN with LDAP authentication - Step 2

In the first step, I have setup SVN with SASL authentication using a password file. The next step is to use LDAP authentication instead. To do that, we will need SASLAUTHD. SASLAUTHD is an authentication daemon that provides authentication service. To configure it, we will need to edit two configuration files on Debian. The first one is /etc/default/saslauthd. The following lines need to be changed.


While you are at it, take a note at the last line. Mine has

OPTIONS="-c -m /var/run/saslauthd"

This line tells you where the daemon is listening at (in this case /var/run/saslauthd). Now the second configuration file /etc/saslauthd.conf.

ldap_servers: ldap://
ldap_start_tls: yes
ldap_tls_cacert_file: /etc/ldap/myldapca.crt
ldap_auth_method: bind
ldap_bind_dn: cn=bindcn,dc=mydomain,dc=com
ldap_password: supersecretstuff
ldap_search_base: ou=Users,dc=mydomain,dc=com
ldap_filter: (&(uid=%U))

This file simply tells SASLAUTHD how to contact the LDAP server. Save and restart the saslauthd by typing

service saslauthd restart

Then you are good to go. First to test the SASLAUTHD authentication by

testsaslauthd -u username -p password

In this way, we can verify that the SASLAUTHD is working as intended. Once that is verified, the last step is to modify SASL to use SASLAUTHD. This is done by changing /usr/lib/sasl2/svn.conf (see my Step 1 post) to the following:

pwcheck_method: saslauthd
saslauthd_path: /run/saslauthd/mux
mech_list: PLAIN LOGIN

Notice the saslauthd_path. It is the path where the SASLAUTHD is listening (which we got earlier in this post form /etc/default/saslauthd). Your process do need to have read/write access to that folder. This can be done by adding the user you are running svnserve with to the sasl group.

One more note here: in the svnserve.conf file (under conf directory of the repository), the min-encryption need to be set to 0, otherwise it would not work on my setting. Also I read somewhere that SASLAUTHD only supports plain and login, not any of the digest methods. This really make this method un-secure because the password will be transmitted in clear text.

So in the end, after all these trouble, I went back to move my SVN server to be served with Apache2 server through SSL (sorry, no Nginx or anything else, only Apache2 works). That seems to be the only secure solution right now (other than SVN+SSH, then I will need to create many user accounts on my SVN server, which is not good).

No comments: