Re: [Freeipa-users] svnserve authentication against IPA
Hi, On Sat, 27 Jun 2015, Dmitri Pal wrote: On 06/18/2015 05:09 AM, dbisc...@hrz.uni-kassel.de wrote: I have a svnserve (Subversion 1.6.11) running on my IPA server. Currently, there's a separate user database with SASL auth: /etc/sasl2/svn.conf --- pwcheck_method: auxprop auxprop_plugin: sasldb sasldb_path: /etc/sasldb2 mech_list: DIGEST-MD5 --- XXX/testrepo/conf/svnserve.conf --- [general] anon-access = none authz-db = authz realm = MYSUBDOMAIN.MYUNIVERSITY.DE [sasl] use-sasl = true min-encryption = 128 max-encryption = 256 --- On a test system, I changed svnserve auth to saslauthd and IPA: /etc/sasl2/svn.conf --- pwcheck_method: saslauthd auxprop_plugin: ldap mech_list: PLAIN ldapdb_mech: PLAIN --- XXX/testrepo/conf/svnserve.conf --- [general] anon-access = none authz-db = authz realm = MYSUBDOMAIN.MYUNIVERSITY.DE [sasl] use-sasl = true min-encryption = 0 max-encryption = 256 --- /etc/saslauthd.conf --- ldap_servers: ldaps://localhost/ ldap_search_base: cn=users,cn=accounts,dc=MYSUBDOMAIN,dc=MYUNIVERSITY,dc=DE --- Though this setup basically works and svnserve and IPA are running on the same machine I'm unhappy with PLAIN and "min-encryption = 0". What would you suggest to improve security/enable encryption in this setup? I considered switching from svnserve to Apache, but that would imply that my users will have to get used to something new. It seems that no one on the list knows details about svn configuration so if you figure it out please share the results with the list. -- Thank you, Dmitri Pal for the record: In the meantime, I've abandoned svnserve in favour of apache. It's more complicated to set up but also more flexible. In order to make it work with IPA, one needs (something similar to) the following included the apache configuration: --- LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so RedirectMatch ^(/svn)$ $1/ RedirectPermanent /svn/ /home/svn/ DAV svn SVNParentPath /home/svn SVNListParentPath On SVNAutoversioning On SVNReposName "example.com SVN Repositories" SVNPathAuthz short_circuit AuthType Basic AuthName "example.com SVN Repositories" AuthBasicProvider ldap AuthLDAPBindAuthoritative on AuthLDAPBindDN "uid=sysadev,CN=users,CN=accounts,DC=example,DC=com" AuthLDAPBindPassword XX AuthLDAPURL "ldaps://ipa.example.com/CN=users,CN=accounts,DC=example,DC=com?uid,nsAccountLock?sub?(ObjectClass=*)" Require ldap-attribute nsAccountLock!="true" Require valid-user AuthzSVNAccessFile /etc/subversion/svn.acl Options +Indexes +FollowSymLinks AllowOverride All Order Allow,Deny Allow from all --- I think this is more flexible and more secure than my svnserve approach. Remarks: 1. "sysadev" is the username that I use for LDAP binding (an IPA user with a long-term password, no home directory and /sbin/nologin as login shell). 2. "/etc/subversion/svn.acl" contains the access rights for the individual SVN repos. It is similar to the "authz" files that svnserve uses. 3. apache is HTTPS-only. Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] svnserve authentication against IPA
On 06/18/2015 05:09 AM, dbisc...@hrz.uni-kassel.de wrote: Hi, I have a svnserve (Subversion 1.6.11) running on my IPA server. Currently, there's a separate user database with SASL auth: /etc/sasl2/svn.conf --- pwcheck_method: auxprop auxprop_plugin: sasldb sasldb_path: /etc/sasldb2 mech_list: DIGEST-MD5 --- XXX/testrepo/conf/svnserve.conf --- [general] anon-access = none authz-db = authz realm = MYSUBDOMAIN.MYUNIVERSITY.DE [sasl] use-sasl = true min-encryption = 128 max-encryption = 256 --- On a test system, I changed svnserve auth to saslauthd and IPA: /etc/sasl2/svn.conf --- pwcheck_method: saslauthd auxprop_plugin: ldap mech_list: PLAIN ldapdb_mech: PLAIN --- XXX/testrepo/conf/svnserve.conf --- [general] anon-access = none authz-db = authz realm = MYSUBDOMAIN.MYUNIVERSITY.DE [sasl] use-sasl = true min-encryption = 0 max-encryption = 256 --- /etc/saslauthd.conf --- ldap_servers: ldaps://localhost/ ldap_search_base: cn=users,cn=accounts,dc=MYSUBDOMAIN,dc=MYUNIVERSITY,dc=DE --- Though this setup basically works and svnserve and IPA are running on the same machine I'm unhappy with PLAIN and min-encryption = 0. What would you suggest to improve security/enable encryption in this setup? I considered switching from svnserve to Apache, but that would imply that my users will have to get used to something new. Mit freundlichen Gruessen/With best regards, --Daniel. It seems that no one on the list knows details about svn configuration so if you figure it out please share the results with the list. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] svnserve authentication against IPA
Hi, I have a svnserve (Subversion 1.6.11) running on my IPA server. Currently, there's a separate user database with SASL auth: /etc/sasl2/svn.conf --- pwcheck_method: auxprop auxprop_plugin: sasldb sasldb_path: /etc/sasldb2 mech_list: DIGEST-MD5 --- XXX/testrepo/conf/svnserve.conf --- [general] anon-access = none authz-db = authz realm = MYSUBDOMAIN.MYUNIVERSITY.DE [sasl] use-sasl = true min-encryption = 128 max-encryption = 256 --- On a test system, I changed svnserve auth to saslauthd and IPA: /etc/sasl2/svn.conf --- pwcheck_method: saslauthd auxprop_plugin: ldap mech_list: PLAIN ldapdb_mech: PLAIN --- XXX/testrepo/conf/svnserve.conf --- [general] anon-access = none authz-db = authz realm = MYSUBDOMAIN.MYUNIVERSITY.DE [sasl] use-sasl = true min-encryption = 0 max-encryption = 256 --- /etc/saslauthd.conf --- ldap_servers: ldaps://localhost/ ldap_search_base: cn=users,cn=accounts,dc=MYSUBDOMAIN,dc=MYUNIVERSITY,dc=DE --- Though this setup basically works and svnserve and IPA are running on the same machine I'm unhappy with PLAIN and min-encryption = 0. What would you suggest to improve security/enable encryption in this setup? I considered switching from svnserve to Apache, but that would imply that my users will have to get used to something new. Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
