[Re: subversion, saslauthd, ldap and encryption]

Arnau Bria listsarnau at gmail.com
Thu Oct 4 10:24:13 EDT 2012


Hi again

> In otehr words: I'm in the process of creating a ldap subversion user
> and give him perms to act as other users. subversion has its passwrod
> in plain text ,but other ldap users also need plain text passwrods?

I've configured ldapdb auxprop plugin.
my svn uses sasl, that uses ldapdb.

But it only works if the user (regulr user) have it password in
plain text. 
ldap communiction is encrypted (TLS), svn communication is encrypted,
but we don't like having plaintext passwsords in our ldap DB.
so we'll move to apache+ssl.



But, let me paste my conf , just because it has been a hard work looking
too many links and maybe it helps anyone in the future.

-- ldap server --

Authentication Algorithm:

installed cyrus-sasl-ldap for digest-md5 support.

SASL rewrite rule in Slapd

in /etc/openldap/slapd.conf added 

authz-regexp "^uid=([a-z]+).*,cn=digest-md5,cn=auth" \
"uid=$1,ou=People,dc=pic,dc=es" 
password-hash {CLEARTEXT}
authz-policy to   <- SASL Proxy Authorization


** the regexp is a little differnt from the doc becasu svn adds its
realm like @realm and it must be removed.

added special user:

# cat subversion2.ldif 
dn: uid=subversion,ou=People,dc=pic,dc=es
uid: subversion at pic
cn: subversion
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: plaintextpassword
loginShell: /bin/bash
uidNumber: 70000
gidNumber: 1307
homeDirectory: /home/subversion
gecos: mail
saslAuthzTo: ldap:///ou=People,dc=pic,dc=es??sub?(organizationName=PIC) <- SASL Proxy Authorization

** in our case, we want subversion to act as any user with
organizationName=PIC. You could add your own ldap search.


cat /usr/lib64/sasl2/slapd.conf 
auxprop_plugin: slapd

** this should remove warnings in messages, but seems that it does not work.

Oct  4 15:53:21 ldap1-test slaptest: auxpropfunc error invalid parameter supplied
Oct  4 15:53:21 ldap1-test slapd[3156]: auxpropfunc error invalid parameter supplied



-- subversion server --

# cat /srv/svn/test/conf/svnserve.conf 
[general]
anon-access = read
auth-access = write
authz-db = authz
realm = pic

[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256 


# cat /srv/svn/test/conf/authz 
[groups]
services = arnaubria

[test:/]
@services=rw


# cat /usr/lib64/sasl2/svn.conf 
pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: DIGEST-MD5 PLAIN LOGIN
ldapdb_uri: ldap://ldap1-test.pic.es
ldapdb_id: subversion at pic
ldapdb_pw: r3m0t3
ldapdb_mech: DIGEST-MD5
ldapdb_starttls: demand
ldapdb_rc: /usr/lib64/sasl2/ldaprc

# cat /usr/lib64/sasl2/ldaprc
TLS_CACERT /etc/pki/tls/certs/TERENASSLCA.crt
TLS_REQCERT demand

** did not find ldapdb params for cacert and TLS-reqcert.


finally, your user must have its password in plaintext:

$ svn co svn://$SVNSERVER/test
Reino de autentificación: <svn://$SVNSERVER:3690> pic
Usuario: arnaubria
Clave de 'arnaubria': 

-----------------------------------------------------------------------
ATTENTION!  Your password for authentication realm:
[...]
Almacenar la clave sin cifrar (sí/no)? no
Revisión obtenida: 0


For testing:

# ldapwhoami  -ZZ -U subversion at pic -Y DIGEST-MD5 
SASL/DIGEST-MD5 authentication started
Please enter your password: 
SASL username: subversion at pic
SASL SSF: 128
SASL data security layer installed.
dn:uid=subversion,ou=people,dc=pic,dc=es

SASL-PROXY

# ldapwhoami  -ZZ -U subversion at pic -Y DIGEST-MD5 -X u:arnaubria 
SASL/DIGEST-MD5 authentication started
Please enter your password: 
SASL username: u:arnaubria
SASL SSF: 128
SASL data security layer installed.
dn:uid=arnaubria,ou=people,dc=pic,dc=es


Interesting links:
http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:postfix:sasl_ldapdb
http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:openldap:openldap_debian#sasl
http://markmail.org/thread/t7uj4l2oz332e25s#query:+page:1+mid:bcv24n4oor4vw37y+state:results
http://www.openldap.org/doc/admin24/sasl.html#Mapping%20Authentication%20Identities

thanks for your indications Dan.


Cheers,
Arnau


More information about the Cyrus-sasl mailing list