From owner-freebsd-questions@FreeBSD.ORG Mon Aug 25 07:45:28 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBB45106569D for ; Mon, 25 Aug 2008 07:45:28 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 8A6178FC1A for ; Mon, 25 Aug 2008 07:45:28 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.69) for freebsd-questions@freebsd.org with esmtp (envelope-from ) id <1KXWUQ-0008Pn-4K>; Mon, 25 Aug 2008 09:27:50 +0200 Received: from telesto.geoinf.fu-berlin.de ([130.133.86.198]) by inpost2.zedat.fu-berlin.de (Exim 4.69) for freebsd-questions@freebsd.org with esmtpsa (envelope-from ) id <1KXWUQ-0000n5-3J>; Mon, 25 Aug 2008 09:27:50 +0200 Message-ID: <48B25E78.9090306@zedat.fu-berlin.de> Date: Mon, 25 Aug 2008 07:25:44 +0000 From: "O. Hartmann" Organization: Freie =?ISO-8859-15?Q?Universit=E4t_Berlin?= User-Agent: Thunderbird 2.0.0.16 (X11/20080728) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: 130.133.86.198 Subject: SASL2, Subversion and LDAP authtication X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Aug 2008 07:45:29 -0000 Sirs, I already setup a working subversion server and need to autehnticate accessing users against a LDAP server. The LDAP serving machine is located on another box and compiled against cyrus-sasl2-port. OpenLDAP (2.4.11), Subversion (1.5.X as taken from the ports) are capable of handling SASL2, so I double checked this. I followed the instructions to setup subversion connecting/authenticating users via sasl2 but I do not have any success. It is said that for subversion I need to create a config file 'svn.conf' in the place were sasl2 expects plugins, so this /usr/local/lib/sasl2. There resides a chmod'd 755 file named svn.conf with this content: auxprop_plugin: ldap pwcheck_method: auxprop ldapdb_uri: ldap://my.ldap.server/ ldapdb_id: anonymous ldapdb_pw: ldapdb_mech: EXTERNAL ldapdb_rc: /usr/local/etc/sasl2/ldaprc ldapdb_startls: yes mech_list: EXTERNAL log_level: 7 The file /usr/local/etc/sasl2/ldaprc containts LDAP specific parameters like TLS_CACERT file etc. Well, someone would complain about ldapdb_id and ldapdb_pw, they ar set to bogus values at the moment as I try to figure out how things work (the documentation is more than bad in this subject). My problem is as follows: whenever I try to access the repository which should authenticate against LDAP I get a SASL error complaining about non-accessible Berkeley db /usr/local/etc/sasl2db not accessible (permission denied). Well, this confuses me. That means subversion is NOT accessing the LDAP path, it seems it uses authd (sasl2) directly. I try to log the console and slapd output, both do not show up anything execpt console log shows the mentioned Berkeley db issue. My LDAP server is configured not to autheticate clients via there own SSL certificates, so the bogus 'anonymous' tag and empty password is simply I try to get LDAP's and subversion's log messages triggered - if subversion will ever contact LDAP. I guess subversion never looks for a config file 'svn.conf' in /usr/local/lib/sasl2/. Well, I'm a little bit desperate about less knowledge about sasl2 and how it works, so if there is someone out here with a working subversion.ldap configuration on FreeBSD (I use everywhere 7.0-STABLE) I appreciate any comments, tips and hints. Thanks you very much in advance, Oliver --