SVN + SASL + ActiveDirectory: How to
I'm trying to set up SVN to authenticate against an ActiveDirectory. I know this is possible if you set up SVN to be served using Apache, but doing so introduces too much overhead, and SVN runs too slow. From reading the SVN docs, it sounds like it should now be possible (since SASL was integrated into SVN in 1.5) to configure SVN to authenticate against ActiveDirectory without using Apache. Unfortunately the documentation from SVN and SASL is extremely generic, and lacks specifics to help get this working properly.
Has anyone gotten this working? It would be a huge help if you could provide some sample configuration files, or high-level steps to point myself (and likely others) in the right direction on this.
Answer
SVN with SASL enabled (on a Debian v7 box), using Active Directory (on another server)
note that I already setup samba and winbind, which included libsasl2-2 so also get the startup executable and svnserve and modules (needed for svn plain (or other) mechanism to work, which (just FYI) puts them in /usr/lib/x86_64-linux-gnu/sasl2/libplain.so):
sudo apt-get install sasl2-bin svnserve libsasl2-modules
sudo pico /etc/default/saslauthd
change START=no to START=yes, and MECHANISMS="pam" to MECHANISMS="ldap", and THREADS=0 (not 5), and remove the /var in front of /run from the last line so that it's OPTIONS="-c -m /run/saslauthd"; control x, y, enter
sudo pico /etc/saslauthd.conf
Add the following (note: you may need an "ou=folder" in front of the dc= series):
ldap_servers: ldap://hostname.of.server<br />
ldap_search_base: dc=hostname,dc=of,dc=server<br />
ldap_bind_dn: cn=usernamehere,dc=hostname,dc=of,dc=server<br />
ldap_bind_pw: password<br />
ldap_filter: samaccountname=%u<br />
sudo /etc/init.d/saslauthd start
Run sudo testsaslauthd -u usernamehere -p password to test the ldap setup and cat /var/log/auth.log to see log.
Add following lines to a file /usr/lib/sasl2/svn.conf:
pwcheck_method: saslauthd
mech_list: plain
Create repository:
mkdir /data
svnadmin create /data/repohere
assuming some sort of previous "svnadmin dump /data/repohere >/data/repohere.dump" svnadmin load /data/repohere
pico /data/repohere/conf/svnserve.conf
uncomment (remove the leading pound and the leading space); and, modify anon-access and authz-db (and note that I put authz in /data so than my multiple repos share it):
anon-access = none<br />
auth-access = write<br />
authz-db = ../../authz<br />
use-sasl = true<br />
pico /data/authz
add the following:
[groups]<br />
whatever = username1,username2<br />
[/]<br />
@whatever = rw<br />
to schedule svnserve on startup (sorry, couldn't find one, so manually make one):
sudo cp /etc/init.d/skeleton /etc/init.d/svnserve
sudo chmod 755 /etc/init.d/svnserve
sudo update-rc.d svnserve defaults
sudo pico /etc/init.d/svnserve
change DESC to "subversion server", change NAME to "svnserve", take out the "s" in the "sbin" of DAEMON (to make it just /bin/), change DAEMON_ARGS to "-d -r /data --log-file /var/log.svn.log"
sudo /etc/init.d/svnserver start
test your favorite svn client (e.g. TortoiseSVN)!