[Re: subversion, saslauthd, ldap and encryption]

Arnau Bria listsarnau at gmail.com
Thu Oct 4 07:12:00 EDT 2012


On Mon, 1 Oct 2012 09:49:55 -0500
Dan White wrote:

Hi Dan,

[...]
> This result is not due to the fact that you are using the ldap
> saslauthd backend, but because you are using PLAIN and LOGIN, which
> do not provide network protection. See:
> 
> http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/mechanisms.php
> 
> And the 'Max SSF' column.
>
> saslauthd requires the receipt of a plain text password for
> verification. DISGEST-MD5 is not possible in this kind of set up.

Thanks for the explanation.
 
> If you can protect your subversion session with TLS, then that may
> suffice.

Yes, I was thinking on moving my svn conf to apahce+SSL, but I'd like
to understand this and give it a try...

> You could use the ldapdb auxprop plugin, instead of the saslauthd ldap
> backend, to support DIGEST-MD5 and network protection.

Ok, I've done so but still having some issues, before asking them
there's one thing that I don't understand . When doing this conf, all
user passwords in ldap must be in plain text? or only the account
used for proxy authentication ?

In otehr words: I'm in the process of creating a ldap subversion user
and give him perms to act as other users. subversion has its passwrod in
plain text ,but other ldap users also need plain text passwrods?

TIA,
Arnau


More information about the Cyrus-sasl mailing list