SVN+SASL+LDAP认证

Posted 王万林 Ben

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了SVN+SASL+LDAP认证相关的知识,希望对你有一定的参考价值。

前言

为提升SVN认证的安全性,本文介绍SVN使用LDAP认证的配置。

步骤

SVN服务器

SVN服务端,是一台CentOS 7.9。

安装包,

[root@computing-host-001 ~]# yum install -y subversion cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain

配置cyrus-sasl,

[root@computing-host-001 ~]# cat > /etc/saslauthd.conf << EOF
ldap_servers: ldaps://ipa-server-001.icinfra.cn
ldap_mech: PLAIN
ldap_search_base: cn=users,cn=accounts,dc=icinfra,dc=cn
#ldap_filter: (cn=%u)
ldap_filter: (uid=%u)
ldap_bind_dn: uid=wanlinwang,cn=users,cn=accounts,dc=icinfra,dc=cn
ldap_password: 123456
EOF
[root@computing-host-001 ~]# cat /etc/sysconfig/saslauthd
# Directory in which to place saslauthd's listening socket, pid file, and so
# on.  This directory must already exist.
SOCKETDIR=/run/saslauthd

# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=ldap

# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
FLAGS=
[root@computing-host-001 ~]# 

启动cyrus-sasl,

[root@computing-host-001 ~]# systemctl enable saslauthd --now

验证,其中123456是正确的LDAP密码,而1234567是错误的,

[root@computing-host-001 ~]# testsaslauthd -u wanlinwang -p 123456
0: OK "Success."
[root@computing-host-001 ~]# testsaslauthd -u wanlinwang -p 1234567
0: NO "authentication failed"

创建一个svn仓库服务器,

[root@computing-host-001 ~]# svnadmin create --fs-type fsfs svn_repo
[root@computing-host-001 ~]# cat svn_repo/conf/svnserve.conf| grep -Ev '^\\s*#'
[general]
anon-access = none
auth-access = write
authz-db = authz
[sasl]
use-sasl = true
[root@computing-host-001 ~]# cat svn_repo/conf/authz| grep -Ev '^\\s*#'
[aliases]
[groups]
[/]
wanlinwang = rw
[root@computing-host-001 ~]# svnserve -d -r ~/svn_repo --listen-port 8888
[root@computing-host-001 ~]# ps -ef| grep svns
root      2815     1  0 10:40 ?        00:00:00 svnserve -d -r /root/svn_repo --listen-port 8888
root      2846  2506  0 10:42 pts/2    00:00:00 grep --color=auto svns

SVN客户端

在另一台服务器,执行svn checkout并使用LDAP账号密码认证,

[wanlinwang@computing-host-002 ~]$ mkdir  svn_working_copy/
[wanlinwang@computing-host-002 ~]$ cd svn_working_copy/
[wanlinwang@computing-host-002 ~/svn_working_copy]$ svn co svn://computing-host-001:8888/
Authentication realm: <svn://computing-host-001:8888> 242544f5-a785-46dc-9773-b79fe3fdd8a1
Password for 'wanlinwang': 

-----------------------------------------------------------------------
ATTENTION!  Your password for authentication realm:

   <svn://computing-host-001:8888> 242544f5-a785-46dc-9773-b79fe3fdd8a1

can only be stored to disk unencrypted!  You are advised to configure
your system so that Subversion can store passwords encrypted, if
possible.  See the documentation for details.

You can avoid future appearances of this warning by setting the value
of the 'store-plaintext-passwords' option to either 'yes' or 'no' in
'/home/wanlinwang/.subversion/servers'.
-----------------------------------------------------------------------
Store password unencrypted (yes/no)? yes
Checked out revision 0.
[wanlinwang@computing-host-002 ~/svn_working_copy]$ echo "First file" > test.txt
[wanlinwang@computing-host-002 ~/svn_working_copy]$ svn add test.txt 
A         test.txt
[wanlinwang@computing-host-002 ~/svn_working_copy]$ svn ci -m 'Added first file.'
Adding         test.txt
Transmitting file data .
Committed revision 1.

参考资料:

https://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txthttps://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt

Svn authentication and authorization using LDAP protocol | Develop Paperhttps://developpaper.com/svn-authentication-and-authorization-using-ldap-protocol/

以上是关于SVN+SASL+LDAP认证的主要内容,如果未能解决你的问题,请参考以下文章

通过ldap验证svn服务

python 连接使用LDAP认证的hive

ldap落地实战:gitlab集成openldap认证

Kerberos+LDAP+NFSv4 实现单点登录(续4)--SASL/GSSAPI

centos7下利用httpd2.4配置svn并使用Ldap用户认证

svn环境快速搭建(svn|http|ldap)+ifSVNAdmin