SVN + SASL + ActiveDirectory: How to

Ken Mason picture Ken Mason · Nov 25, 2009 · Viewed 12.3k times · Source

I'm trying to set up SVN to authenticate against an ActiveDirectory. I know this is possible if you set up SVN to be served using Apache, but doing so introduces too much overhead, and SVN runs too slow. From reading the SVN docs, it sounds like it should now be possible (since SASL was integrated into SVN in 1.5) to configure SVN to authenticate against ActiveDirectory without using Apache. Unfortunately the documentation from SVN and SASL is extremely generic, and lacks specifics to help get this working properly.

Has anyone gotten this working? It would be a huge help if you could provide some sample configuration files, or high-level steps to point myself (and likely others) in the right direction on this.

Answer

S Hunter Simpson picture S Hunter Simpson · Oct 10, 2014

SVN with SASL enabled (on a Debian v7 box), using Active Directory (on another server)

note that I already setup samba and winbind, which included libsasl2-2 so also get the startup executable and svnserve and modules (needed for svn plain (or other) mechanism to work, which (just FYI) puts them in /usr/lib/x86_64-linux-gnu/sasl2/libplain.so):

sudo apt-get install sasl2-bin svnserve libsasl2-modules

sudo pico /etc/default/saslauthd

change START=no to START=yes, and MECHANISMS="pam" to MECHANISMS="ldap", and THREADS=0 (not 5), and remove the /var in front of /run from the last line so that it's OPTIONS="-c -m /run/saslauthd"; control x, y, enter

sudo pico /etc/saslauthd.conf

Add the following (note: you may need an "ou=folder" in front of the dc= series):

ldap_servers: ldap://hostname.of.server<br />
ldap_search_base: dc=hostname,dc=of,dc=server<br />
ldap_bind_dn: cn=usernamehere,dc=hostname,dc=of,dc=server<br />
ldap_bind_pw: password<br />
ldap_filter: samaccountname=%u<br />
sudo /etc/init.d/saslauthd start

Run sudo testsaslauthd -u usernamehere -p password to test the ldap setup and cat /var/log/auth.log to see log.

Add following lines to a file /usr/lib/sasl2/svn.conf:

pwcheck_method: saslauthd
mech_list: plain

Create repository:

mkdir /data
svnadmin create /data/repohere

assuming some sort of previous "svnadmin dump /data/repohere >/data/repohere.dump" svnadmin load /data/repohere

pico /data/repohere/conf/svnserve.conf

uncomment (remove the leading pound and the leading space); and, modify anon-access and authz-db (and note that I put authz in /data so than my multiple repos share it):

anon-access = none<br />
auth-access = write<br />
authz-db = ../../authz<br />
use-sasl = true<br />
pico /data/authz

add the following:

[groups]<br />
whatever = username1,username2<br />
[/]<br />
@whatever = rw<br /> 

to schedule svnserve on startup (sorry, couldn't find one, so manually make one):

sudo cp /etc/init.d/skeleton /etc/init.d/svnserve
sudo chmod 755 /etc/init.d/svnserve
sudo update-rc.d svnserve defaults
sudo pico /etc/init.d/svnserve

change DESC to "subversion server", change NAME to "svnserve", take out the "s" in the "sbin" of DAEMON (to make it just /bin/), change DAEMON_ARGS to "-d -r /data --log-file /var/log.svn.log"

sudo /etc/init.d/svnserver start

test your favorite svn client (e.g. TortoiseSVN)!