I am trying to authenticate subversion users against sasl+ldap. Other questions about this problem seem to be related to earlier versions of subversion, or sasldb authentication.
lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 8.1 (jessie)
Release: 8.1
Codename: jessie
svnserve --version
svnserve, version 1.8.10 (r1615264)
Cyrus SASL authentication is available.
saslauthd -v
saslauthd 2.1.26
authentication mechanisms: sasldb getpwent kerberos5 pam rimap shadow ldap
The sasl+LDAP part seems to be correctly configured:
testsaslauthd -u user -p password -r realm
0: OK "Success."
Testing it with wrong credentials gives an error:
testsaslauthd -u wronguser -p wrongpassword -r wrongrealm
0: NO "authentication failed"
And it shows an error in auth.log:
Sep 10 22:23:53 xxx saslauthd[30948]: Entry not found ((&(objectClass=posixAccount)(uid=wronguser))).
Sep 10 22:23:53 xxx saslauthd[30948]: Authentication failed for wronguser/wrongrealm: User not found (-6)
Sep 10 22:23:53 xxx saslauthd[30948]: do_auth : auth failure: [user=wronguser] [service=imap] [realm=wrongrealm] [mech=ldap] [reason=Unknown]
So I assume SASL can contact the LDAP server fine and get the data.
I configured subversion with:
/etc/sasl2/svn.conf:
pwcheck_method: saslauthd
mech_list: DIGEST-MD5
checking svnserve with strace -e open shows that it opens this file, and not /usr/lib/sasl2 or similar.
When I try to connect from a svn client I get
Sep 10 22:31:38 xxx svnserve: DIGEST-MD5 common mech free
in auth.log for each try, but no info or errors from saslauthd.
If I add the user account to sasldb2:
saslpasswd2 user -u realm
Password: password
I can connect from the svn client correctly. So it looks like sasl uses the sasldb2, even though the config for svn and for saslauthd configures LDAP.
Best Answer
Solution: I attached a debugger and stepped through the authentication. Turns out I had two problems: Permissions on /var/log/saslauthd:
means the "subversion" server user needs to be part of group sasl.
The second one is more complicated: DIGEST-MD5 relies on plain text passwords to calculate a hash on the server side. My LDAP directory stores SSHA encrypted passwords, so the server could never compare the MD5 from the client with a MD5 computed locally. I guess the directory could store MD5(username:realm:password), but I'm not sure if this is supported in sasl, and how you would manage that if you have several realms.
I don't really want to store plain text passwords, so for now the solution is to only use unencryped authentication:
Not a perfect solution, but it seems to work for now. I think I'll enforce ssh+svn for external access, and maybe I'll invest some time into TLS support for svnserve.
(This would've been much less time consuming with a few more diagnostic options, and better documentation.)