Using LDAP to authenticate with a svnserve server

I had this already set up in another server ¬†but we had to set up a new svn server even though we already switch most of our stuff to git…

So, after setting the the svnserve daemon, we need to set up LDAP authentication.

We are using debian servers so I needed to install sasl2-bin in order to have the saslauthd daemon.

apt-get install sasl2-bin

After that, we need to set the daemon to start automatically, editing the file: /etc/defaults/saslauthd and changing two lines:

#...
START=no
#...
#...
MECHANISMS="pam"
#...

to

#...
START=yes
#...
#...
MECHANISMS="ldap"
#...

Then the saslauthd daemon needs to know how to reach the LDAP server, we configure this in the file /etc/saslauthd.conf, it is simple as:

ldap_servers: ldap://server.address.example.com
ldap_port: 389
ldap_version: 3
ldap_password_attr: userPassword
ldap_auth_method: bind
ldap_filter: (uid=%u)
ldap_search_base: ou=Users,dc=example,dc=com

The daemon will look for an entry with the uid=USERNAME in the base ou=Users,dc=example,dc=com and will check the password against the attribute userPassword.

You can test if it is working using the testsaslauthd app, like this:

user@svn:/svn# testsaslauthd -u username -p secret
0: OK "Success."

user@svn:/svn# testsaslauthd -u username -p wrongSecret
0: NO "authentication failed"

We can then start the daemon running service saslauthd start.

Now, we need to change the svnserve.conf so it will actually request the authentication to sasl. So, make sure that the [sasl] section of the file looks like this:

[sasl]
use-sasl = true
#...

And we need to register the svn app into the sasl. Apps are registered by creating a file in /usr/lib/sasl2/appname.conf. svnserve uses the name svn internally, we need to create the file as: /usr/lib/sasl2/svn.conf, with the following contents:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

We are now all set up. We only need to restart the svnserve daemon and voil√†, it’s done!

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.