Subversion 1.5.1 authentication with OpenLDAP 2.4.11 via SASL2:
trouble, svn never contacts LDAP :-(
ohartman at zedat.fu-berlin.de
Tue Sep 2 14:20:52 UTC 2008
I'm like floating helpless in the water. Scenario: I'd like to
authenticate some useres having write access to specific repositories on
the subversion server via OpenLDAP and already set up things, which
are decribed below in further detail. But trying to check out or import
or check in things never worked due to svnserve never contacts the LDAP.
I think I have already every prerequisite software installed. Here it is:
cyrus-sasl-2.1.22_1 RFC 2222 SASL (Simple Authentication and Security Layer)
cyrus-sasl-ldapdb-2.1.22 SASL LDAPDB auxprop plugin
openldap-sasl-client-2.4.11 Open source LDAP client implementation with
openldap-sasl-server-2.4.11 Open source LDAP server implementation
OpenLDAP is running fine, subversiona is also running fine.
Out of the most recent documentations I took several 'cook-book'
examples to perform successfully access to repositories by LDAP
In LDAP I created
olcAuthzRegEx with uid
The DIT contains this entity:
I created a file in /usr/local/etc/sasl2/svn.conf which conatins
The autheticating client machine is already part of an LDAP backed up
network and authenticates users successfully.
A server.pem and server.key SSL certificate and key-file are present and
have been approved working.
After installing cyrus-sasl2-ldap port I recompiled everything (LDAP,
subversion and fellows ...) making sure I did not forget anything.
Subversion's repository has been configured out of the handbook, very
simple and is already using SASL. But whatever I do, svn complains about
non-existent users in the database:
svn: Authentication error from server: SASL(-13): user not found: no
secret in database
svn: Your commit message was left in a temporary file:
On the LDAP-server side, I never see a contact-attempt (server runs with
logging ACL and stats), nor do I see any reasonable logging messages on
the client side although I configured loglevel 7, but this seems to be a
simple bogus fake option.
I can't tell how many different ways I tried (but with that crap of
documentation in SASL it is hard to come along with some clues).
I also tried the different ways of user mapping described in the
OpenLDAP 2.4 docu, but without success - I can't see any logging when
the attempt to access a mapped user is performed. Even worser, it is
impossible to make 'authzTo' visible in ldapvi or LUMA, so I fly blind
when creating/adding this attribute.
Well, I'm not capable of getting any LDAP contact so I guess there is
something special with the port or I'm to stupid reading the documentation.
If there is someone out here running a similar scenario, you are welcome
to give me some hints.
Thanks in advance,
More information about the freebsd-questions