Using SASL for LDAP/mod_authz_ldap
Dan White
dwhite at olp.net
Wed Oct 22 17:40:16 EDT 2008
Darren Hartford wrote:
>
> Hey all,
>
> Usecase blurb:
>
> I’ve been trying to follow the **many** threads on both tigris and
> collabnet where people are trying to get the ‘svnserve’ tool setup to
> use SASL w/ ldap. No one has met with success, or if they have there
> is insufficient information to reproduce.
>
> Discussions around saslauthd, auxprop, PAM, and EXTERNAL bounce around.
>
> Most people have gone back to using apache/httpd with the mod_svn_dav
> module to expose and secure their SVN repositories. I personally have
> had success securing with the mod_authz_ldap module.
>
> <Location /svn>
>
> DAV svn
>
> SVNParentPath /var/svnroot
>
> AuthzSVNAccessFile /etc/opt/CollabNet_Subversion/conf/svn_access_file
>
> AuthType Basic
>
> AuthName “SVN repo”
>
> AuthLDAPURL ldap://…./dc=blah, ou=blah?uid
>
> AuthBasicProvider file ldap
>
> AuthUserFile /etc/top/Collabnet_Subversion/conf/svn_auth_file
>
> AuthzLDAPAuthritative on
>
> AuthLDAPGroup AttributeIsDN off
>
> AuthLDAPGroupAttribute memberUid
>
> Require valid-user
>
> </Location>
>
> Question:
>
> How can we setup sasl to use an existing mod_authz_ldap setup for
> securing another service such as ‘svnserve’ that uses SASL to re-use
> already known security configurations?
>
I'll offer some general advice, since I haven't used Subversion's SASL
support.
Assuming that your Subversion server has been compiled against Cyrus
SASL, you will need to configure the library using its standard options.
These options are documented withing 'doc/options.html' within the Cyrus
source, or here:
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/~checkout~/src/sasl/doc/options.html?rev=1.32;content-type=text%2Fhtml
You place your configuration in /usr/lib/sasl2/<service name>.conf, such
as /usr/lib/sasl2/svnserve.conf. However, depending on how your cyrus
libraries have been compiled, and depending on how Subversion may have
customized it's use of Cyrus, the location of that configuration may
reside elsewhere.
Within Cyrus SASL library configuration, there are a couple of ways
(disregarding PTS) that come to mind to make use of LDAP. You can
configure an ldapdb auxprop plugin or you can configure saslauthd to use
its LDAP backend. Another option, outside of Cyrus, is to configure
saslauthd to use its PAM backend, and then use an LDAP PAM module to
perform authentication.
The link above discusses how to configure the ldapdb auxprop plugin.
saslauthd is documented in its own man page, and in the file
'/saslauthd/LDAP_SASLAUTHD' within the Cyrus source.
- Dan
More information about the Cyrus-sasl
mailing list