Date: Tue, 02 Sep 2008 14:18:38 +0000 From: "O. Hartmann" <ohartman@zedat.fu-berlin.de> To: freebsd-questions@freebsd.org Subject: Subversion 1.5.1 authentication with OpenLDAP 2.4.11 via SASL2: trouble, svn never contacts LDAP :-( Message-ID: <48BD4B3E.3000800@zedat.fu-berlin.de>
next in thread | raw e-mail | index | archive | help
Hello, I'm like floating helpless in the water. Scenario: I'd like to authenticate some useres having write access to specific repositories on the subversion server via OpenLDAP and already set up things, which are decribed below in further detail. But trying to check out or import or check in things never worked due to svnserve never contacts the LDAP. I think I have already every prerequisite software installed. Here it is: cyrus-sasl-2.1.22_1 RFC 2222 SASL (Simple Authentication and Security Layer) cyrus-sasl-ldapdb-2.1.22 SASL LDAPDB auxprop plugin openldap-sasl-client-2.4.11 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.11 Open source LDAP server implementation Subversion 1.5.1 OpenLDAP is running fine, subversiona is also running fine. Out of the most recent documentations I took several 'cook-book' examples to perform successfully access to repositories by LDAP authenticated users. In LDAP I created olcAuthzRegEx with uid 0}"uid=(^[^,].*),cn=realm.de,cn=external,cn=auth" "cn=svnserve,dc=dc=realm,dc=de" The DIT contains this entity: dn: cn=svnproxy,dc=realm,dc=de objcetClass: top objectClass: organizationalPerson cn: svnproxy sn: svnproxy authzTo: ldap:///dc=realm,dc=de??base?(objectClass=posixAccount) I created a file in /usr/local/etc/sasl2/svn.conf which conatins following things: pwcheck_method: auxprop auxprop_plugin: ldap ldapdb_uri: ldap://ldap.realm.de/ #ldapdb_id: svnproxy dapdb_mech: EXTERNAL ldapdb_rc: /usr/local/etc/sasl2/svn_ldaprc ldapdb_startls: yes log_level: 7 The autheticating client machine is already part of an LDAP backed up network and authenticates users successfully. A server.pem and server.key SSL certificate and key-file are present and have been approved working. After installing cyrus-sasl2-ldap port I recompiled everything (LDAP, subversion and fellows ...) making sure I did not forget anything. Subversion's repository has been configured out of the handbook, very simple and is already using SASL. But whatever I do, svn complains about non-existent users in the database: svn: Authentication error from server: SASL(-13): user not found: no secret in database svn: Your commit message was left in a temporary file: On the LDAP-server side, I never see a contact-attempt (server runs with logging ACL and stats), nor do I see any reasonable logging messages on the client side although I configured loglevel 7, but this seems to be a simple bogus fake option. I can't tell how many different ways I tried (but with that crap of documentation in SASL it is hard to come along with some clues). I also tried the different ways of user mapping described in the OpenLDAP 2.4 docu, but without success - I can't see any logging when the attempt to access a mapped user is performed. Even worser, it is impossible to make 'authzTo' visible in ldapvi or LUMA, so I fly blind when creating/adding this attribute. Well, I'm not capable of getting any LDAP contact so I guess there is something special with the port or I'm to stupid reading the documentation. If there is someone out here running a similar scenario, you are welcome to give me some hints. Thanks in advance, Oliver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48BD4B3E.3000800>