SVN + SASL + ActiveDirectory: How to
I’m trying to set up SVN to authenticate against an ActiveDirectory. I know this is possible if you set up SVN to be served using Apache, but doing so introduces too much overhead, and SVN runs too slow. From reading the SVN docs, it sounds like it should now be possible (since SASL was integrated into SVN in 1.5) to configure SVN to authenticate against ActiveDirectory without using Apache. Unfortunately the documentation from SVN and SASL is extremely generic, and lacks specifics to help get this working properly.
Has anyone gotten this working? It would be a huge help if you could provide some sample configuration files, or high-level steps to point myself (and likely others) in the right direction on this.
4 Solutions collect form web for “SVN + SASL + ActiveDirectory: How to”
Run SVN on windows using VisualSVN Server
I found this post in one of the mailing lists. Next time I try to get this working I’m going to reference this information. I’ll quote it below for reference.
I have just tried getting svnserve + SASL working on Windows, with
help from Mark Phippard, and there are a few additions/corrections
needed to the svn.serverconfig.svnserve.sasl section.
You talk about the subversion.conf file, but on Windows at least it
is called svn.conf.
Under Windows the default name for the database file is sasldb2
located in C:\CMU. If you do not specify anything in svn.conf, this is
where SASL will look for it when trying to authenticate for
However, you can specify the SASL database file to use by adding
another line to svn.conf, of the form: sasldb_path:
c:\svn_repository\sasldb That is, a file called sasldb in
The registry keys could be better described: SearchPath – directory
path containing the sasl*.dll plugins, e.g. saslCRAMMD5.dll (we’re not
talking about libsasl.dll here). ConfFile – directory path containing
the svn.conf file. Note the inconsistency here: this is the directory
containing the conf file, whereas the sasldb_path value in the conf
file points to the database file itself, not its containing directory.
When using saslpasswd2 on Windows, you need to specify the database
file explicitly (don’t think it will use c:\CMU\sasldb2 as a default),
so a better example of the command line would be:
saslpasswd2 -c -f c:\svn_repository\sasldb -u realm username
- Windows users don’t (usually) build their own programs – they have
servants/developers to do that for them 😉 So where are they gonna
get saslpasswd2 from? Open Collab Net have a convenient svn server
installer which includes these programs, and even installs svnserve as
a service. Might be worth a mention. Not sure what link you would
provide as it only exists on the merge-tracking/Beta site at present.
SVN with SASL enabled (on a Debian v7 box), using Active Directory (on another server)
note that I already setup samba and winbind, which included libsasl2-2 so also get the startup executable and svnserve and modules (needed for svn plain (or other) mechanism to work, which (just FYI) puts them in /usr/lib/x86_64-linux-gnu/sasl2/libplain.so):
sudo apt-get install sasl2-bin svnserve libsasl2-modules sudo pico /etc/default/saslauthd
change “START=no” to “START=yes”, and MECHANISMS=”pam” to MECHANISMS=”ldap”, and THREADS=0 (not 5), and remove the /var in front of /run from the last line so that it’s OPTIONS=”-c -m /run/saslauthd”; control x, y, enter
sudo pico /etc/saslauthd.conf
add the following (note: you may need an “ou=folder” in front of the dc= series):
ldap_servers: ldap://hostname.of.server<br /> ldap_search_base: dc=hostname,dc=of,dc=server<br /> ldap_bind_dn: cn=usernamehere,dc=hostname,dc=of,dc=server<br /> ldap_bind_pw: password<br /> ldap_filter: samaccountname=%u<br /> sudo /etc/init.d/saslauthd start
“sudo testsaslauthd -u usernamehere -p password” to test the ldap setup and “cat /var/log/auth.log” to see where it logs to
sudo pico /usr/lib/sasl2/svn.conf
add the following:
mkdir /data svnadmin create /data/repohere
assuming some sort of previous “svnadmin dump /data/repohere >/data/repohere.dump”
svnadmin load /data/repohere
uncomment (remove the leading pound and the leading space); and, modify anon-access and authz-db (and note that I put authz in /data so than my multiple repos share it):
anon-access = none<br /> auth-access = write<br /> authz-db = ../../authz<br /> use-sasl = true<br /> pico /data/authz
add the following:
[groups]<br /> whatever = username1,username2<br /> [/]<br /> @whatever = rw<br />
to schedule svnserve on startup (sorry, couldn’t find one, so manually make one):
sudo cp /etc/init.d/skeleton /etc/init.d/svnserve sudo chmod 755 /etc/init.d/svnserve sudo update-rc.d svnserve defaults sudo pico /etc/init.d/svnserve
change DESC to “subversion server”, change NAME to “svnserve”, take out the “s” in the “sbin” of DAEMON (to make it just /bin/), change DAEMON_ARGS to “-d -r /data –log-file /var/log.svn.log”
sudo /etc/init.d/svnserver start
test your favorite svn client (e.g. TortoiseSVN)!
I think it’s technically possible. See the link point 8.GSSAPI and microsoft technet article as well.
I’ve hands-on experience with SVN 1.6 + SASL as described here. It’s works fine for us. So I think your biggest challenge is to “married” SASL and Active directory.