[Freeipa-users] svnserve authentication against IPA
dbischof at hrz.uni-kassel.de
dbischof at hrz.uni-kassel.de
Wed Sep 9 09:12:31 UTC 2015
Hi,
On Sat, 27 Jun 2015, Dmitri Pal wrote:
> On 06/18/2015 05:09 AM, dbischof at hrz.uni-kassel.de wrote:
>>
>> I have a svnserve (Subversion 1.6.11) running on my IPA server. Currently,
>> there's a separate user database with SASL auth:
>>
>> /etc/sasl2/svn.conf
>> ---
>> pwcheck_method: auxprop
>> auxprop_plugin: sasldb
>> sasldb_path: /etc/sasldb2
>> mech_list: DIGEST-MD5
>> ---
>>
>> XXX/testrepo/conf/svnserve.conf
>> ---
>> [general]
>> anon-access = none
>> authz-db = authz
>> realm = MYSUBDOMAIN.MYUNIVERSITY.DE
>> [sasl]
>> use-sasl = true
>> min-encryption = 128
>> max-encryption = 256
>> ---
>>
>> On a test system, I changed svnserve auth to saslauthd and IPA:
>>
>> /etc/sasl2/svn.conf
>> ---
>> pwcheck_method: saslauthd
>> auxprop_plugin: ldap
>> mech_list: PLAIN
>> ldapdb_mech: PLAIN
>> ---
>>
>> XXX/testrepo/conf/svnserve.conf
>> ---
>> [general]
>> anon-access = none
>> authz-db = authz
>> realm = MYSUBDOMAIN.MYUNIVERSITY.DE
>> [sasl]
>> use-sasl = true
>> min-encryption = 0
>> max-encryption = 256
>> ---
>>
>> /etc/saslauthd.conf
>> ---
>> ldap_servers: ldaps://localhost/
>> ldap_search_base: cn=users,cn=accounts,dc=MYSUBDOMAIN,dc=MYUNIVERSITY,dc=DE
>> ---
>>
>> Though this setup basically works and svnserve and IPA are running on
>> the same machine I'm unhappy with PLAIN and "min-encryption = 0".
>>
>> What would you suggest to improve security/enable encryption in this
>> setup? I considered switching from svnserve to Apache, but that would
>> imply that my users will have to get used to something new.
>>
> It seems that no one on the list knows details about svn configuration so if
> you figure it out please share the results with the list.
>
> --
> Thank you,
> Dmitri Pal
for the record: In the meantime, I've abandoned svnserve in favour of
apache. It's more complicated to set up but also more flexible. In order
to make it work with IPA, one needs (something similar to) the following
included the apache configuration:
---
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
RedirectMatch ^(/svn)$ $1/
RedirectPermanent /svn/ /home/svn/
<Location /home/svn>
DAV svn
SVNParentPath /home/svn
SVNListParentPath On
SVNAutoversioning On
SVNReposName "example.com SVN Repositories"
SVNPathAuthz short_circuit
AuthType Basic
AuthName "example.com SVN Repositories"
AuthBasicProvider ldap
AuthLDAPBindAuthoritative on
AuthLDAPBindDN "uid=sysadev,CN=users,CN=accounts,DC=example,DC=com"
AuthLDAPBindPassword XXXXXXXXXX
AuthLDAPURL "ldaps://ipa.example.com/CN=users,CN=accounts,DC=example,DC=com?uid,nsAccountLock?sub?(ObjectClass=*)"
Require ldap-attribute nsAccountLock!="true"
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
AuthzSVNAccessFile /etc/subversion/svn.acl
</Location>
<Directory /home/svn>
Options +Indexes +FollowSymLinks
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
---
I think this is more flexible and more secure than my svnserve approach.
Remarks:
1. "sysadev" is the username that I use for LDAP binding (an IPA user with
a long-term password, no home directory and /sbin/nologin as login shell).
2. "/etc/subversion/svn.acl" contains the access rights for the individual
SVN repos. It is similar to the "authz" files that svnserve uses.
3. apache is HTTPS-only.
Mit freundlichen Gruessen/With best regards,
--Daniel.
More information about the Freeipa-users
mailing list