Using SASL for LDAP/mod_authz_ldap

Dan White dwhite at olp.net
Wed Oct 22 17:40:16 EDT 2008 

Darren Hartford wrote:
>
> Hey all,
>
> Usecase blurb:
>
> I’ve been trying to follow the **many** threads on both tigris and 
> collabnet where people are trying to get the ‘svnserve’ tool setup to 
> use SASL w/ ldap. No one has met with success, or if they have there 
> is insufficient information to reproduce.
>
> Discussions around saslauthd, auxprop, PAM, and EXTERNAL bounce around.
>
> Most people have gone back to using apache/httpd with the mod_svn_dav 
> module to expose and secure their SVN repositories. I personally have 
> had success securing with the mod_authz_ldap module.
>
> <Location /svn>
>
> DAV svn
>
> SVNParentPath /var/svnroot
>
> AuthzSVNAccessFile /etc/opt/CollabNet_Subversion/conf/svn_access_file
>
> AuthType Basic
>
> AuthName “SVN repo”
>
> AuthLDAPURL ldap://…./dc=blah, ou=blah?uid
>
> AuthBasicProvider file ldap
>
> AuthUserFile /etc/top/Collabnet_Subversion/conf/svn_auth_file
>
> AuthzLDAPAuthritative on
>
> AuthLDAPGroup AttributeIsDN off
>
> AuthLDAPGroupAttribute memberUid
>
> Require valid-user
>
> </Location>
>
> Question:
>
> How can we setup sasl to use an existing mod_authz_ldap setup for 
> securing another service such as ‘svnserve’ that uses SASL to re-use 
> already known security configurations?
>

I'll offer some general advice, since I haven't used Subversion's SASL 
support.

Assuming that your Subversion server has been compiled against Cyrus 
SASL, you will need to configure the library using its standard options. 
These options are documented withing 'doc/options.html' within the Cyrus 
source, or here:

https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/~checkout~/src/sasl/doc/options.html?rev=1.32;content-type=text%2Fhtml

You place your configuration in /usr/lib/sasl2/<service name>.conf, such 
as /usr/lib/sasl2/svnserve.conf. However, depending on how your cyrus 
libraries have been compiled, and depending on how Subversion may have 
customized it's use of Cyrus, the location of that configuration may 
reside elsewhere.

Within Cyrus SASL library configuration, there are a couple of ways 
(disregarding PTS) that come to mind to make use of LDAP. You can 
configure an ldapdb auxprop plugin or you can configure saslauthd to use 
its LDAP backend. Another option, outside of Cyrus, is to configure 
saslauthd to use its PAM backend, and then use an LDAP PAM module to 
perform authentication.

The link above discusses how to configure the ldapdb auxprop plugin. 
saslauthd is documented in its own man page, and in the file 
'/saslauthd/LDAP_SASLAUTHD' within the Cyrus source.

- Dan

More information about the Cyrus-sasl mailing list