subversion, saslauthd, ldap and encryption

Dan White dwhite at olp.net
Mon Oct 1 10:49:55 EDT 2012


On 10/01/12 15:44 +0200, Arnau Bria wrote:
>This is my first e-mail in this list. My name is Arnau Bria and I live
>in Barcelona (SPAIN). Let me say hi to everybody.
>I have a problem with svn+saslauth+ldap. I think this is the correct
>place for asking it cause the error is SASL related.
>
> I had a svn server using sasldb file for
>authentication and sasl for data encryption.
>[general]
>authz-db = authzfile
>anon-access = none
>realm = puppet
>
>[sasl]
>use-sasl = true
>min-encryption = 128
>max-encryption = 256
>
># cat /etc/sasl2/svn.conf
>pwcheck_method: auxprop
>auxprop_plugin: sasldb
>sasldb_path: /etc/my_sasldb
>mech_list: DIGEST-MD5
>
>It worked really fine.


>SOCKETDIR=/var/run/saslauthd
>MECH="ldap"
>FLAGS=
>START="yes"
>
>#/usr/lib64/sasl2/svn.conf
>pwcheck_method: saslauthd
>auxprop_plugin: ldap
>mech_list: PLAIN LOGIN
>ldapdb_mech: PLAIN LOGIN
>
>
>Works fine. this is a ldaps server, so data is encyrpted.
>
># testsaslauthd -u arnaubria  -p XXXXXXXX
>0: OK "Success."
>
>SVN works great too.
>
>But, when I try to add sasl encryption to SVN:
>
>[sasl]
>use-sasl = true
>min-encryption = 128
>max-encryption = 256
>
>svn give me the error :
>
>svn: Could not obtain the list of SASL mechanisms

This result is not due to the fact that you are using the ldap saslauthd
backend, but because you are using PLAIN and LOGIN, which do not provide
network protection. See:

http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/mechanisms.php

And the 'Max SSF' column.

saslauthd requires the receipt of a plain text password for verification.
DISGEST-MD5 is not possible in this kind of set up.

If you can protect your subversion session with TLS, then that may suffice.

You could use the ldapdb auxprop plugin, instead of the saslauthd ldap
backend, to support DIGEST-MD5 and network protection.

>From Subversion guide:
>
>http://svnbook.red-bean.com/en/1.5/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sasl
>
>that min/max-encyrption value encrypts data over the network, but then
>ldap auth does not work.
>What is happening when I add data encryption? why auth fails? (I have
>a guess: when adding in-encryption auth is also encrypted and ldap does
>not know how to reply... am I right?)
>
>May I use SALA for network encrytption when doing auth thorugh ldap?
>
>
>TIA,
>Arnau
>

-- 
Dan White


More information about the Cyrus-sasl mailing list