SVN + SASL + ActiveDirectory: How to

I’m trying to set up SVN to authenticate against an ActiveDirectory. I know this is possible if you set up SVN to be served using Apache, but doing so introduces too much overhead, and SVN runs too slow. From reading the SVN docs, it sounds like it should now be possible (since SASL was integrated into SVN in 1.5) to configure SVN to authenticate against ActiveDirectory without using Apache. Unfortunately the documentation from SVN and SASL is extremely generic, and lacks specifics to help get this working properly.

Has anyone gotten this working? It would be a huge help if you could provide some sample configuration files, or high-level steps to point myself (and likely others) in the right direction on this.

  • Is there a way to use Windows Authentication (Active Directory) for a Git server?
  • In SVN how do I override automatic Windows domain authentication
  • Has anyone had any luck running Git on Windows using the “Smart HTTP” and Active Directory authentication?
  • Gerrit and Active Directory
  • Configuring GIT on a server in a Windows / Active Directory environment
  • Git connected to Active Directory
  • Disable password prompt for git pull, but not for push
  • Is there a way like to temporary store git login but not password?
  • Perl script to parse Jenkins job (config.xml) files which requires authentication
  • Pushing to GitHub with Pycharm and Two Factor Authentication
  • use Windows Authentication for private BitBucket git repo?
  • Unable to perform git-svn clone on a sub-repository requiring AD authentication
  • 4 Solutions collect form web for “SVN + SASL + ActiveDirectory: How to”

    Run SVN on windows using VisualSVN Server

    I found this post in one of the mailing lists. Next time I try to get this working I’m going to reference this information. I’ll quote it below for reference.

    I have just tried getting svnserve + SASL working on Windows, with
    help from Mark Phippard, and there are a few additions/corrections
    needed to the svn.serverconfig.svnserve.sasl section.

    1. You talk about the subversion.conf file, but on Windows at least it
      is called svn.conf.

    2. Under Windows the default name for the database file is sasldb2
      located in C:\CMU. If you do not specify anything in svn.conf, this is
      where SASL will look for it when trying to authenticate for
      Subversion.

    3. However, you can specify the SASL database file to use by adding
      another line to svn.conf, of the form: sasldb_path:
      c:\svn_repository\sasldb That is, a file called sasldb in
      c:\svn_repository

    4. The registry keys could be better described: SearchPath – directory
      path containing the sasl*.dll plugins, e.g. saslCRAMMD5.dll (we’re not
      talking about libsasl.dll here). ConfFile – directory path containing
      the svn.conf file. Note the inconsistency here: this is the directory
      containing the conf file, whereas the sasldb_path value in the conf
      file points to the database file itself, not its containing directory.

    5. When using saslpasswd2 on Windows, you need to specify the database
      file explicitly (don’t think it will use c:\CMU\sasldb2 as a default),
      so a better example of the command line would be:

    saslpasswd2 -c -f c:\svn_repository\sasldb -u realm username

    1. Windows users don’t (usually) build their own programs – they have
      servants/developers to do that for them 😉 So where are they gonna
      get saslpasswd2 from? Open Collab Net have a convenient svn server
      installer which includes these programs, and even installs svnserve as
      a service. Might be worth a mention. Not sure what link you would
      provide as it only exists on the merge-tracking/Beta site at present.

    Simon

    SVN with SASL enabled (on a Debian v7 box), using Active Directory (on another server)

    note that I already setup samba and winbind, which included libsasl2-2 so also get the startup executable and svnserve and modules (needed for svn plain (or other) mechanism to work, which (just FYI) puts them in /usr/lib/x86_64-linux-gnu/sasl2/libplain.so):

    sudo apt-get install sasl2-bin svnserve libsasl2-modules
    
    sudo pico /etc/default/saslauthd
    

    change “START=no” to “START=yes”, and MECHANISMS=”pam” to MECHANISMS=”ldap”, and THREADS=0 (not 5), and remove the /var in front of /run from the last line so that it’s OPTIONS=”-c -m /run/saslauthd”; control x, y, enter

    sudo pico /etc/saslauthd.conf
    

    add the following (note: you may need an “ou=folder” in front of the dc= series):

    ldap_servers: ldap://hostname.of.server<br />
    ldap_search_base: dc=hostname,dc=of,dc=server<br />
    ldap_bind_dn: cn=usernamehere,dc=hostname,dc=of,dc=server<br />
    ldap_bind_pw: password<br />
    ldap_filter: samaccountname=%u<br />
    sudo /etc/init.d/saslauthd start
    

    “sudo testsaslauthd -u usernamehere -p password” to test the ldap setup and “cat /var/log/auth.log” to see where it logs to

    sudo pico /usr/lib/sasl2/svn.conf
    

    add the following:
    pwcheck_method: saslauthd
    mech_list: plain

    mkdir /data
    svnadmin create /data/repohere
    

    assuming some sort of previous “svnadmin dump /data/repohere >/data/repohere.dump”
    svnadmin load /data/repohere

    pico /data/repohere/conf/svnserve.conf
    

    uncomment (remove the leading pound and the leading space); and, modify anon-access and authz-db (and note that I put authz in /data so than my multiple repos share it):

    anon-access = none<br />
    auth-access = write<br />
    authz-db = ../../authz<br />
    use-sasl = true<br />
    pico /data/authz
    

    add the following:

    [groups]<br />
    whatever = username1,username2<br />
    [/]<br />
    @whatever = rw<br /> 
    

    to schedule svnserve on startup (sorry, couldn’t find one, so manually make one):

    sudo cp /etc/init.d/skeleton /etc/init.d/svnserve
    sudo chmod 755 /etc/init.d/svnserve
    sudo update-rc.d svnserve defaults
    sudo pico /etc/init.d/svnserve
    

    change DESC to “subversion server”, change NAME to “svnserve”, take out the “s” in the “sbin” of DAEMON (to make it just /bin/), change DAEMON_ARGS to “-d -r /data –log-file /var/log.svn.log”

    sudo /etc/init.d/svnserver start
    

    test your favorite svn client (e.g. TortoiseSVN)!

    I think it’s technically possible. See the link point 8.GSSAPI and microsoft technet article as well.

    I’ve hands-on experience with SVN 1.6 + SASL as described here. It’s works fine for us. So I think your biggest challenge is to “married” SASL and Active directory.

    Git Baby is a git and github fan, let's start git clone.