In general, user access to SVN server is divided into two parts: authentication and authorization. SVN itself has built-in authentication and authorization mechanism. By default, it uses clear text, and other modules can be used to make encryption, but this way is very cumbersome, and the final effect is not satisfactory. Fortunately, SVN provides support for SASL, so we have more options for user authentication and authorization.
What is SASL? I found an introduction on subversion’s official document:
What Is SASL?
The Cyrus Simple Authentication and Security Layer is open source software written by Carnegie Mellon University. It adds generic authentication and encryption capabilities to any network protocol, and as of Subversion 1.5 and later, both the svnserve server and svn client know how to make use of this library. It may or may not be available to you: if you’re building Subversion yourself, you’ll need to have at least version 2.1 of SASL installed on your system, and you’ll need to make sure that it’s detected during Subversion’s build process. If you’re using a prebuilt Subversion binary package, you’ll have to check with the package maintainer as to whether SASL support was compiled in. SASL comes with a number of pluggable modules that represent different authentication systems: Kerberos (GSSAPI), NTLM, One-Time-Passwords (OTP), DIGEST-MD5, LDAP, Secure-Remote-Password (SRP), and others. Certain mechanisms may or may not be available to you; be sure to check which modules are provided.You can download Cyrus SASL (both code and documentation) from http://asg.web.cmu.edu/sasl/s…
The main idea is that simple authentication and security layer is an open-source software produced by Carnegie Mellon University (to be exact, it is written by John Gardiner Myers). It adds general authentication and encryption functions to any network protocol. After version 1.5, Subversion (this is the full name of SVN…) Both the server and the client know how to use the library. If you plan to compile SVN by yourself and make SASL available, you must install SASL version 2.1 or higher, and ensure that the SASL you install can be detected by the compilation process during compilation. If you use precompiled binary packages, you need to contact your maintainer to make sure that SASL feature support has been compiled. SASL uses various modules to correspond to different authentication systems: Kerberos (GSSAPI), NTLM, one time passwords (OTP), digest-md5, LDAP, secure remote password (SRP), etc. whether a certain authentication mechanism is available depends on whether you have the corresponding modules of this mechanism. You can download Cyrus SASL from http://asg.web.cmu.edu/sasl/s.
The basic introduction is written here. The following shows how to install and configure svnsasl so that SVN can use LDAP authentication through SASL. Based on centos7.
1. Install relevant components:
yum install -y subversion cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain
2. Check SASL version and provided verification module:
[[email protected] ~]# saslauthd -v saslauthd 2.1.26 Authentication mechanisms: getpwent Kerberos 5 PAM RIMAP shadow LDAP httpform. Support for LDAP is provided here.
3. Modify the user authentication mode of SASL to LDAP:
cp /etc/sysconfig/saslauthd /etc/sysconfig/saslauthd.save sed -i 's/MECH=pam/MECH=ldap/' /etc/sysconfig/saslauthd
4. Modify the SASL configuration file / etc / saslauthd.conf. If the configuration file does not exist, create a new one:
LDAP? Servers: LDAP: // LDAP server? Fill in your server, domain name or IP, if your DNS can work normally LDAP default domain: domain.com default domain ldap_search_base:DC=domain,dc=com # ldap_bind_dn:domain\user ldap_password:password ldap_deref: never ldap_restart: yes ldap_scope: sub ldap_use_sasl: no ldap_start_tls: no ldap_version: 3 ldap_auth_method: bind ldap_mech: DIGEST-MD5 ldap_filter:sAMAccountName=%u ldap_password_attr:userPassword ldap_timeout: 10 ldap_cache_ttl: 30 ldap_cache_mem: 32786 Here are the elements of the completed LDAP protocol.
5. Restart the SASL service to apply the configuration file and test whether it passes:
systemctl restart saslauthd.service Testsaslauthd - U user - p 'password' is replaced respectively.
6. Modify the SASL configuration file / etc / SASL / svn.conf of SVN. Similarly, if the configuration file does not exist, create a new one:
vi /etc/sasl2/svn.conf Pwcheck method: saslauthd user authentication method Mech list: plain login how to transfer user authentication information
7. Modify the configuration of the version Library:
vim /yourrepository/conf/svnserve.conf [general] anon-access = none auth-access = write #Password DB = passwd - close passwd Authz DB = authz ා if you want to have permission control over the version library, turn on authz [sasl] Use SASL = true ා enable SASL user authentication
8. Restart SVN and test it.
When restarting SVN, use the – D – R parameter to specify the warehouse. The authorization part is simple. according to
[/path] username = r Username = RW ා no permission if not written The @ symbol is used to represent user groups. The creation of user groups is groupname = user1,user2,