svnserve+sasl+ldap : saslauthd not contacted?

Question

I am trying to authenticate subversion users against sasl+ldap. Other questions about this problem seem to be related to earlier versions of subversion, or sasldb authentication.

lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 8.1 (jessie)
Release:    8.1
Codename:   jessie

svnserve --version
svnserve, version 1.8.10 (r1615264)
Cyrus SASL authentication is available.

saslauthd -v
saslauthd 2.1.26
authentication mechanisms: sasldb getpwent kerberos5 pam rimap shadow ldap

The sasl+LDAP part seems to be correctly configured:

testsaslauthd -u user -p password -r realm
0: OK "Success."

Testing it with wrong credentials gives an error:

testsaslauthd -u wronguser -p wrongpassword -r wrongrealm
0: NO "authentication failed"

And it shows an error in auth.log:

Sep 10 22:23:53 xxx saslauthd[30948]: Entry not found ((&(objectClass=posixAccount)(uid=wronguser))).
Sep 10 22:23:53 xxx saslauthd[30948]: Authentication failed for wronguser/wrongrealm: User not found (-6)
Sep 10 22:23:53 xxx saslauthd[30948]: do_auth         : auth failure: [user=wronguser] [service=imap] [realm=wrongrealm] [mech=ldap] [reason=Unknown]

So I assume SASL can contact the LDAP server fine and get the data.

I configured subversion with:

/etc/sasl2/svn.conf:
pwcheck_method: saslauthd
mech_list: DIGEST-MD5

checking svnserve with strace -e open shows that it opens this file, and not /usr/lib/sasl2 or similar.

When I try to connect from a svn client I get

Sep 10 22:31:38 xxx svnserve: DIGEST-MD5 common mech free

in auth.log for each try, but no info or errors from saslauthd.

If I add the user account to sasldb2:

saslpasswd2 user -u realm
Password: password

I can connect from the svn client correctly. So it looks like sasl uses the sasldb2, even though the config for svn and for saslauthd configures LDAP.

I have no idea what the answer is, but this is a very nicely crafted question. — womble, Sep 10 '15 at 22:09

score 1 · Answer 1 · answered Sep 27 '15 at 09:24

Solution: I attached a debugger and stepped through the authentication. Turns out I had two problems: Permissions on /var/log/saslauthd:

drwx--x---  2 root        sasl         140 Sep 27 09:44 saslauthd

means the "subversion" server user needs to be part of group sasl.

The second one is more complicated: DIGEST-MD5 relies on plain text passwords to calculate a hash on the server side. My LDAP directory stores SSHA encrypted passwords, so the server could never compare the MD5 from the client with a MD5 computed locally. I guess the directory could store MD5(username:realm:password), but I'm not sure if this is supported in sasl, and how you would manage that if you have several realms.

I don't really want to store plain text passwords, so for now the solution is to only use unencryped authentication:

# cat /etc/sasl2/svn.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Not a perfect solution, but it seems to work for now. I think I'll enforce ssh+svn for external access, and maybe I'll invest some time into TLS support for svnserve.

(This would've been much less time consuming with a few more diagnostic options, and better documentation.)

svnserve+sasl+ldap : saslauthd not contacted?

1 Answers1