[PATCH] svnserve does not work with LDAP
Stefan Sperling
stsp at elego.de
Mon Jun 15 11:36:31 CDT 2009
Bad news, everyone,
please see http://svn.haxx.se/users/archive-2009-06/0536.shtml
Vlad, can you confirm this?
The book has apparently been misguiding people.
I think the book's authors simply weren't aware of the issue.
Is the patch below OK to commit?
There's one remaining section where the text suggests that LDAP
does work with svnserve, namely the documentation of username aliases
in svnserve.conf. I didn't change that, hoping that we'll eventually
get TLS support for svn. However, we might want to change the wording
of that section a bit, too.
Thanks,
Stefan
[[[
* src/en/book/ch06-server-configuration.xml
(svn.serverconfig.overview.tbl-1,
svn.serverconfig.svnserve.sasl): Stop suggesting that LDAP
authentication works with svnserve, because it is not
actually supported. Based on description of known issues
in notes/sasl.txt in the Subversion source tree.
]]]
Index: src/en/book/ch06-server-configuration.xml
===================================================================
--- src/en/book/ch06-server-configuration.xml (revision 3523)
+++ src/en/book/ch06-server-configuration.xml (working copy)
@@ -88,8 +88,10 @@
<entry>Authentication options</entry>
<entry>HTTP(S) basic auth, X.509 certificates, LDAP, NTLM, or
any other mechanism available to Apache httpd</entry>
- <entry>CRAM-MD5 by default; LDAP, NTLM, or any other mechanism
- available to SASL</entry>
+ <entry>CRAM-MD5 by default; other mechanisms available to SASL
+ except those which require passwords sent over the network
+ in plain text, and as a consequence those which require
+ saslauthd</entry>
<entry>SSH</entry>
</row>
@@ -98,7 +100,7 @@
<entry>Private 'users' file, or other mechanisms
available to Apache httpd (LDAP, SQL, etc.)</entry>
<entry>Private 'users' file, or other mechanisms available
- to SASL (LDAP, SQL, etc.)</entry>
+ to SASL (e.g. SQL)</entry>
<entry>System accounts</entry>
</row>
@@ -999,10 +1001,23 @@ authz-db = authzfile
that you read the documentation supplied in the
<filename>doc/</filename> subdirectory of the SASL source
code. It goes into great detail about every mechanism and
- how to configure the server appropriately for each. For the
- purposes of this discussion, we'll just demonstrate a simple
- example of configuring the DIGEST-MD5 mechanism. For
- example, if your <filename>subversion.conf</filename>
+ how to configure the server appropriately for each.</para>
+
+ <warning>
+ <para>Cyrus SASL has two authentication mechanisms, PLAIN and LOGIN,
+ that send the password over the network in plain text.
+ This would be fine if the transmission medium was already
+ encrypted with TLS (Transport Layer Security).
+ However, the svn:// protocol does not support TLS yet, so both
+ these mechanisms are currently disabled in both the client and
+ the server. As a consequence, you won't be able to use the
+ saslauthd daemon to authenticate users, because that method
+ only works with plain text passwords.</para></warning>
+
+ <para>
+ For the purposes of this discussion, we'll just demonstrate
+ a simple example of configuring the DIGEST-MD5 mechanism.
+ For example, if your <filename>subversion.conf</filename>
(or <filename>svn.conf</filename>) file contains the
following:</para>
@@ -1040,9 +1055,8 @@ $ saslpasswd2 -c -f /etc/my_sasldb -u realm userna
<para>This is just one simple way of configuring SASL. Many
other authentication mechanisms are available, and passwords
- can be stored in other places such as in LDAP or a SQL
- database. Consult the full SASL documentation for
- details.</para>
+ can be stored in other places such as in an SQL database.
+ Consult the full SASL documentation for details.</para>
<para>Remember that if you configure your server to only allow
certain SASL authentication mechanisms, this forces all
More information about the svnbook-dev
mailing list