Svn authentication and authorization using LDAP protocol



In general, user access to SVN server is divided into two parts: authentication and authorization. SVN itself has built-in authentication and authorization mechanism. By default, it uses clear text, and other modules can be used to make encryption, but this way is very cumbersome, and the final effect is not satisfactory. Fortunately, SVN provides support for SASL, so we have more options for user authentication and authorization.

What is SASL? I found an introduction on subversion’s official document:

What Is SASL?

The Cyrus Simple Authentication and Security Layer is open source software written by Carnegie Mellon University. It adds generic authentication and encryption capabilities to any network protocol, and as of Subversion 1.5 and later, both the svnserve server and svn client know how to make use of this library. It may or may not be available to you: if you’re building Subversion yourself, you’ll need to have at least version 2.1 of SASL installed on your system, and you’ll need to make sure that it’s detected during Subversion’s build process. If you’re using a prebuilt Subversion binary package, you’ll have to check with the package maintainer as to whether SASL support was compiled in. SASL comes with a number of pluggable modules that represent different authentication systems: Kerberos (GSSAPI), NTLM, One-Time-Passwords (OTP), DIGEST-MD5, LDAP, Secure-Remote-Password (SRP), and others. Certain mechanisms may or may not be available to you; be sure to check which modules are provided.You can download Cyrus SASL (both code and documentation) from…

The main idea is that simple authentication and security layer is an open-source software produced by Carnegie Mellon University (to be exact, it is written by John Gardiner Myers). It adds general authentication and encryption functions to any network protocol. After version 1.5, Subversion (this is the full name of SVN…) Both the server and the client know how to use the library. If you plan to compile SVN by yourself and make SASL available, you must install SASL version 2.1 or higher, and ensure that the SASL you install can be detected by the compilation process during compilation. If you use precompiled binary packages, you need to contact your maintainer to make sure that SASL feature support has been compiled. SASL uses various modules to correspond to different authentication systems: Kerberos (GSSAPI), NTLM, one time passwords (OTP), digest-md5, LDAP, secure remote password (SRP), etc. whether a certain authentication mechanism is available depends on whether you have the corresponding modules of this mechanism. You can download Cyrus SASL from

The basic introduction is written here. The following shows how to install and configure svnsasl so that SVN can use LDAP authentication through SASL. Based on centos7.

1. Install relevant components:

yum install -y subversion cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain

2. Check SASL version and provided verification module:

[[email protected] ~]# saslauthd -v
saslauthd 2.1.26
Authentication mechanisms: getpwent Kerberos 5 PAM RIMAP shadow LDAP httpform. Support for LDAP is provided here.

3. Modify the user authentication mode of SASL to LDAP:

cp /etc/sysconfig/saslauthd /etc/sysconfig/
sed -i 's/MECH=pam/MECH=ldap/' /etc/sysconfig/saslauthd

4. Modify the SASL configuration file / etc / saslauthd.conf. If the configuration file does not exist, create a new one:

LDAP? Servers: LDAP: // LDAP server? Fill in your server, domain name or IP, if your DNS can work normally
LDAP default domain: default domain
ldap_search_base:DC=domain,dc=com #
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind
ldap_mech: DIGEST-MD5
ldap_timeout: 10
ldap_cache_ttl: 30
ldap_cache_mem: 32786
Here are the elements of the completed LDAP protocol.

5. Restart the SASL service to apply the configuration file and test whether it passes:

systemctl restart saslauthd.service
Testsaslauthd - U user - p 'password' is replaced respectively.

6. Modify the SASL configuration file / etc / SASL / svn.conf of SVN. Similarly, if the configuration file does not exist, create a new one:

vi /etc/sasl2/svn.conf
    Pwcheck method: saslauthd user authentication method
    Mech list: plain login how to transfer user authentication information

7. Modify the configuration of the version Library:

vim /yourrepository/conf/svnserve.conf
    anon-access = none
    auth-access = write
    #Password DB = passwd - close passwd
    Authz DB = authz ා if you want to have permission control over the version library, turn on authz
    Use SASL = true ා enable SASL user authentication

8. Restart SVN and test it.

When restarting SVN, use the – D – R parameter to specify the warehouse. The authorization part is simple. according to

username = r
Username = RW ා no permission if not written The @ symbol is used to represent user groups. The creation of user groups is
groupname = user1,user2,

Recommended Today

Laravel service container must know

The article was forwarded from the professional laravel developer community. Original link: To learn how to build an application with laravel is not only to learn how to use different classes and components in the framework, but also to remember allartisanCommand or all helper functions (we have Google). Learning to code with laravel is […]