subversion, saslauthd, ldap and encryption

Arnau Bria listsarnau at gmail.com
Mon Oct 1 09:44:09 EDT 2012 

** Sorry to mailing list admin. I used the wrong account for sending my
first mail. 

Hi all,


This is my first e-mail in this list. My name is Arnau Bria and I live
in Barcelona (SPAIN). Let me say hi to everybody.
I have a problem with svn+saslauth+ldap. I think this is the correct
place for asking it cause the error is SASL related. 

 I had a svn server using sasldb file for
authentication and sasl for data encryption. 
[general]
authz-db = authzfile
anon-access = none 
realm = puppet

[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256 

# cat /etc/sasl2/svn.conf 
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/my_sasldb
mech_list: DIGEST-MD5

It worked really fine.

Now, I'd like to use a ldap server for authentication so I've followed
some guides and it's working fine. Here's the conf:

# cat /etc/saslauthd.conf 
ldap_servers: ldap://ldapserver....
ldap_default_domain: pic.es
ldap_search_base: dc=....
ldap_bind_dn: cn=.....
ldap_bind_pw: XXXXXXXX
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: yes
ldap_version: 3
ldap_auth_method: bind
ldap_password_attr: userPassword
ldap_timeout: 10
ldap_cache_ttl: 30
ldap_cache_mem: 32768
ldap_tls_cacert_file: /etc/pki/tls/certs/TERENASSLCA.crt


#/etc/sysconfig/saslauthd
SOCKETDIR=/var/run/saslauthd
MECH="ldap"
FLAGS=
START="yes"

#/usr/lib64/sasl2/svn.conf
pwcheck_method: saslauthd
auxprop_plugin: ldap
mech_list: PLAIN LOGIN
ldapdb_mech: PLAIN LOGIN


Works fine. this is a ldaps server, so data is encyrpted.

# testsaslauthd -u arnaubria  -p XXXXXXXX
0: OK "Success."

SVN works great too.

But, when I try to add sasl encryption to SVN:

[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256 

svn give me the error :

svn: Could not obtain the list of SASL mechanisms

From Subversion guide:

http://svnbook.red-bean.com/en/1.5/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sasl

that min/max-encyrption value encrypts data over the network, but then
ldap auth does not work. 
What is happening when I add data encryption? why auth fails? (I have
a guess: when adding in-encryption auth is also encrypted and ldap does
not know how to reply... am I right?)

May I use SALA for network encrytption when doing auth thorugh ldap? 


TIA,
Arnau

More information about the Cyrus-sasl mailing list