You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Os Tyler <ot...@ur.com> on 2013/05/03 01:35:22 UTC

SASL authentication with fallback to native passwd file

Thanks in advance for any help here.

We're using svnserve and I've successfully implemented SASL authentication against our company Active Directory LDAP instance. And our windows and linux clients are successfully connecting.

However the subversion client on our AS/400 servers does not support SASL.

I was looking for a way to configure subversion so that if the SASL authentication failed, it would fall back to the native passwd file and if a user/pass match was found there, auth would succeed.

I've searched the interwebs and the archives of this mailing list, but I'm not seeing that there is a way to accomplish this "SASL with fallback to native passwd file".

Is there a way?

Thanks,

Os Tyler

Re: SASL authentication with fallback to native passwd file

Posted by Stefan Sperling <st...@elego.de>.

On Thu, May 02, 2013 at 11:35:22PM +0000, Os Tyler wrote:
> Thanks in advance for any help here.
> 
> We're using svnserve and I've successfully implemented SASL authentication against our company Active Directory LDAP instance. And our windows and linux clients are successfully connecting.
> 

Can you provide some details about how you configured svnserve with
SASL and ldap?

I'm not aware of any working example configuration to point people at
when they ask about svnserve+SASL+LDAP. The svnbook has some generic
advice but it doesn't really mention details.

Thanks!

Re: SASL authentication with fallback to native passwd file

Posted by Daniel Shahaf <d....@daniel.shahaf.name>.

Os Tyler wrote on Thu, May 02, 2013 at 23:35:22 +0000:
> I've searched the interwebs and the archives of this mailing list, but
> I'm not seeing that there is a way to accomplish this "SASL with
> fallback to native passwd file".
> 
> Is there a way?

I don't think you can achieve this in svnserve.  Should be doable
in mod_dav_svn / httpd.conf though.  It's possible you could do this in
svnserve too by making a trivial modification to
subversion/svnserve/serve.c:auth_request().

Re: SASL authentication with fallback to native passwd file

Posted by Mark Phippard <ma...@gmail.com>.

On Thu, May 2, 2013 at 7:35 PM, Os Tyler <ot...@ur.com> wrote:
> Thanks in advance for any help here.
>
> We're using svnserve and I've successfully implemented SASL authentication
> against our company Active Directory LDAP instance. And our windows and
> linux clients are successfully connecting.
>
> However the subversion client on our AS/400 servers does not support SASL.
>
> I was looking for a way to configure subversion so that if the SASL
> authentication failed, it would fall back to the native passwd file and if a
> user/pass match was found there, auth would succeed.
>
> I've searched the interwebs and the archives of this mailing list, but I'm
> not seeing that there is a way to accomplish this "SASL with fallback to
> native passwd file".
>
> Is there a way?

You could just run a second svnserve on a different port that was
using a username/password file instead of SASL.

That said, the issue is that if you are using the native AS/400 client
it is SVN 1.4 which was pre-SASL.  However, it is still possible for
those SVN clients to work with svnserve SASL.  You have to enable the
auth mechanisms on your server that are supported by these clients --
CRAM-MD5.

From:  http://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt

5. Compatibility
================

  All 1.x clients, with or without Cyrus SASL support, will be able to
  authenticate against all 1.x servers that do not have Cyrus SASL enabled.
  Note that the CRAM-MD5 and ANONYMOUS mechanisms are actually built into
  Subversion, so you'll be able to use them even if the corresponding Cyrus
  SASL plugins are missing.

  1.x clients without Cyrus SASL support will be able to authenticate against
  1.5+ servers with SASL enabled, provided the server allows the CRAM-MD5
  and/or ANONYMOUS mechanisms.

  1.5+ clients with Cyrus SASL support will be able to authenticate against
  1.5+ servers with SASL enabled, provided at least one of the mechanisms
  supported by the server is also supported by the client.

So if your server enables CRAM-MD5 your client ought to be able to
login using LDAP username and password.  That said, my understanding
is that for CRAM-MD5 to work, the server has to know your plaintext
password.  If you are using LDAP, that would be unlikely.  So you
would be back to running a second svnserve on another port.

--
Thanks

Mark Phippard
http://markphip.blogspot.com/