Sunday, March 15, 2015

SVN with LDAP authentication - Step 2

In the first step, I have setup SVN with SASL authentication using a password file. The next step is to use LDAP authentication instead. To do that, we will need SASLAUTHD. SASLAUTHD is an authentication daemon that provides authentication service. To configure it, we will need to edit two configuration files on Debian. The first one is /etc/default/saslauthd. The following lines need to be changed.

START=yes
MECHANISMS="ldap"

While you are at it, take a note at the last line. Mine has

OPTIONS="-c -m /var/run/saslauthd"

This line tells you where the daemon is listening at (in this case /var/run/saslauthd). Now the second configuration file /etc/saslauthd.conf.

ldap_servers: ldap://myldapserver.mydomain.com
ldap_start_tls: yes
ldap_tls_cacert_file: /etc/ldap/myldapca.crt
ldap_auth_method: bind
ldap_bind_dn: cn=bindcn,dc=mydomain,dc=com
ldap_password: supersecretstuff
ldap_search_base: ou=Users,dc=mydomain,dc=com
ldap_filter: (&(uid=%U))

This file simply tells SASLAUTHD how to contact the LDAP server. Save and restart the saslauthd by typing

service saslauthd restart

Then you are good to go. First to test the SASLAUTHD authentication by

testsaslauthd -u username -p password

In this way, we can verify that the SASLAUTHD is working as intended. Once that is verified, the last step is to modify SASL to use SASLAUTHD. This is done by changing /usr/lib/sasl2/svn.conf (see my Step 1 post) to the following:

pwcheck_method: saslauthd
saslauthd_path: /run/saslauthd/mux
mech_list: PLAIN LOGIN

Notice the saslauthd_path. It is the path where the SASLAUTHD is listening (which we got earlier in this post form /etc/default/saslauthd). Your process do need to have read/write access to that folder. This can be done by adding the user you are running svnserve with to the sasl group.

One more note here: in the svnserve.conf file (under conf directory of the repository), the min-encryption need to be set to 0, otherwise it would not work on my setting. Also I read somewhere that SASLAUTHD only supports plain and login, not any of the digest methods. This really make this method un-secure because the password will be transmitted in clear text.

So in the end, after all these trouble, I went back to move my SVN server to be served with Apache2 server through SSL (sorry, no Nginx or anything else, only Apache2 works). That seems to be the only secure solution right now (other than SVN+SSH, then I will need to create many user accounts on my SVN server, which is not good).



Sunday, March 8, 2015

SVN with LDAP authentication: Step 1

My work setup has got too many places that needs authentication. There has been six or seven logins and passwords I need to use constantly, so I have finally decided to spend some time to get LDAP working. I have wanted to do that for a while, but every time I looked at it, it looks pretty thick and complicated. It indeed is. There is very few documentations, and I found that there are fair amount of mistakes in them. So I am writing this down as a record, and also as a way to share my mistakes.

LDAP

First, it is probably a good idea to read some introduction to LDAP. This 10-min tutorial is so thick that I am not sure it is actually helping. Later, I found one that is actually just a personal note, but is surprisingly clear and helpful. That is a must read for a quick understanding of what everything is there.

Svnserve with SASL

The first step is to setup svnserve with SASL. This is a well documented process, and easy to test to be sure that everything works. First of all, run svnserve to make sure that SASL is supported. I installed this on Debian 7.8.0 (March 2015), and the output is as below.

Two configuration files need to be modified. The first one is svnserve.conf. It is located at the "conf" directory of the repository to be served. The line of "use_sasl" need to be set true.

[sasl]
use-sasl = true

The second file is svn.conf for SASL. This is a little tricky, and not much information is available. I believe the svnserve will need to use SASL library to access authentication, and SASL library will load a configuration file for the application (which is svn in this case) in a known folder (which is /usr/lib/sasl2 in Debian). The file does not exist and will need to be created.

In this first step, I tried to use a password file that holds the username and password hash for SASL. This is so that I can first verify that svnserve is correctly working with SASL, and then later I will change that to use LDAP. For now, my svn.conf looks like following (in this first step).

pwcheck_method: auxprop
auxprop_plugin: sasldb
# you may use /etc/svn_sasldb here
sasldb_path: /path/db_name
mech_list: DIGEST-MD5

Then the password file can be created with the following command.
 
saslpasswd2 -f /path/db_name -c -u realmname username

Restart svnserve and test away. That is the first step.