SASL2, Subversion and LDAP authtication

O. Hartmann ohartman at zedat.fu-berlin.de
Mon Aug 25 07:45:29 UTC 2008 

Sirs,

I already setup a working subversion server and need to autehnticate 
accessing users against a LDAP server. The LDAP serving machine is 
located on another box and compiled against cyrus-sasl2-port. OpenLDAP 
(2.4.11), Subversion (1.5.X as taken from the ports) are capable of 
handling SASL2, so I double checked this.
I followed the instructions to setup subversion 
connecting/authenticating users via sasl2 but I do not have any success. 
  It is said that for subversion I need to create a config file 
'svn.conf' in the place were sasl2 expects plugins, so this 
/usr/local/lib/sasl2. There resides a chmod'd 755 file named svn.conf 
with this content:

auxprop_plugin:         ldap
pwcheck_method:         auxprop
ldapdb_uri:             ldap://my.ldap.server/
ldapdb_id:              anonymous
ldapdb_pw:
ldapdb_mech:            EXTERNAL
ldapdb_rc:              /usr/local/etc/sasl2/ldaprc
ldapdb_startls:         yes
mech_list:              EXTERNAL
log_level:              7

The file /usr/local/etc/sasl2/ldaprc containts LDAP specific parameters 
like TLS_CACERT file etc.

Well, someone would complain about ldapdb_id and ldapdb_pw, they ar set 
to bogus values at the moment as I try to figure out how things work 
(the documentation is more than bad in this subject).

My problem is as follows: whenever I try to access the repository which 
should authenticate against LDAP I get a SASL error complaining about 
non-accessible Berkeley db /usr/local/etc/sasl2db not accessible 
(permission denied). Well, this confuses me. That means subversion is 
NOT accessing the LDAP path, it seems it uses authd (sasl2) directly. I 
try to log the console and slapd output, both do not show up anything 
execpt console log shows the mentioned Berkeley db issue.

My LDAP server is configured not to autheticate clients via there own 
SSL certificates, so the bogus 'anonymous' tag and empty password is 
simply I try to get LDAP's and subversion's log messages triggered - if 
subversion will ever contact LDAP.

I guess subversion never looks for a config file 'svn.conf' in 
/usr/local/lib/sasl2/.

Well, I'm a little bit desperate about less knowledge about sasl2 and 
how it works, so if there is someone out here with a working 
subversion.ldap configuration on FreeBSD (I use everywhere 7.0-STABLE) I 
appreciate any comments, tips and hints.

Thanks you very much in advance,

Oliver
--

More information about the freebsd-questions mailing list