Subversion 1.5.1 authentication with OpenLDAP 2.4.11 via SASL2: trouble, svn never contacts LDAP :-(

O. Hartmann ohartman at zedat.fu-berlin.de
Tue Sep 2 14:20:52 UTC 2008 

Hello,
I'm like floating helpless in the water. Scenario: I'd like to 
authenticate some useres having write access to specific repositories on 
  the subversion server via OpenLDAP and already set up things, which 
are decribed below in further detail. But trying to check out or import 
or check in things never worked due to svnserve never contacts the LDAP.

I think I have already every prerequisite software installed. Here it is:


cyrus-sasl-2.1.22_1 RFC 2222 SASL (Simple Authentication and Security Layer)
cyrus-sasl-ldapdb-2.1.22 SASL LDAPDB auxprop plugin
openldap-sasl-client-2.4.11 Open source LDAP client implementation with 
SASL2 support
openldap-sasl-server-2.4.11 Open source LDAP server implementation
Subversion 1.5.1

OpenLDAP is running fine, subversiona is also running fine.

Out of the most recent documentations I took several 'cook-book' 
examples to perform successfully access to repositories by LDAP 
authenticated users.

In LDAP I created

olcAuthzRegEx with uid
0}"uid=(^[^,].*),cn=realm.de,cn=external,cn=auth" 
"cn=svnserve,dc=dc=realm,dc=de"

The DIT contains this entity:

dn: cn=svnproxy,dc=realm,dc=de
objcetClass: top
objectClass: organizationalPerson
cn: svnproxy
sn: svnproxy
authzTo: ldap:///dc=realm,dc=de??base?(objectClass=posixAccount)

I created a file in /usr/local/etc/sasl2/svn.conf which conatins 
following things:

pwcheck_method:         auxprop
auxprop_plugin:         ldap
ldapdb_uri:             ldap://ldap.realm.de/
#ldapdb_id:             svnproxy
dapdb_mech:            EXTERNAL
ldapdb_rc:              /usr/local/etc/sasl2/svn_ldaprc
ldapdb_startls:                yes
log_level:             7

The autheticating client machine is already part of an LDAP backed up 
network and authenticates users successfully.


A server.pem and server.key SSL certificate and key-file are present and 
  have been approved working.

After installing cyrus-sasl2-ldap port I recompiled everything (LDAP, 
subversion and fellows ...) making sure I did not forget anything.

Subversion's repository has been configured out of the handbook, very 
simple and is already using SASL. But whatever I do, svn complains about 
non-existent users in the database:

svn: Authentication error from server: SASL(-13): user not found: no 
secret in database
svn: Your commit message was left in a temporary file:

On the LDAP-server side, I never see a contact-attempt (server runs with 
logging ACL and stats), nor do I see any reasonable logging messages on 
the client side although I configured loglevel 7, but this seems to be a 
simple bogus fake option.

I can't tell how many different ways I tried (but with that crap of 
documentation in SASL it is hard to come along with some clues).

I also tried the different ways of user mapping described in the 
OpenLDAP 2.4 docu, but without success - I can't see any logging when 
the attempt to access a mapped user is performed. Even worser, it is 
impossible to make 'authzTo' visible in ldapvi or LUMA, so I fly blind 
when creating/adding this attribute.

Well, I'm not capable of getting any LDAP contact so I guess there is 
something special with the port or I'm to stupid reading the documentation.

If there is someone out here running a similar scenario, you are welcome 
to give me some hints.

Thanks in advance,

Oliver

More information about the freebsd-questions mailing list