svnserve with LDAP

Question

I would like to know how to setup an SVN repository with LDAP authentication. I do not want to use Apache DAV though.

Answer 1

There are two options:

1. Run svnserve as a server, and authenticate using SASL. Configure SASL to authenticate against LDAP.
2. Access the repository over ssh. Create ssh accounts for all users (perhaps automatically), and have these accounts authenticate against LDAP using PAM. Put all users into a single group, and make the repository files owned by that group.

Answer 2

Since it took me some time to find the pieces to do this, I wanted to post how I did this on a RHEL5 server:

1. install CollabNet rpms (client, server, and extras).

2. run /opt/CollabNet_Subversion/bin/Configure-CollabNet-Subversion to configure without Apace and with svnserve.

3. modify your repo/conf/svnserve.conf file to have:

   [sasl]
   use-sasl=true
   

4. create /opt/CollabNet_Subversion/etc/saslauthd.conf file with these contents:

   ldap_servers: ldaps://...
   ldap_search_base: ...
   ldap_bind_dn: ...
   ldap_bind_pw: ...
   ldap_auth_method: bind
   ldap_timeout: 10
   

5. create /etc/opt/CollabNet_Subversion/sasl2/svn.conf file with these contents for use with MS AD LDAP:

   pwcheck_method: saslauthd
   auxprop_plugin: ldap
   mech_list: PLAIN LOGIN
   ldapdb_mech: PLAIN LOGIN
   

6. copy /etc/openldap/ldap.conf to /etc/opt/CollabNet_Subversion/conf/openldap and add TLS_REQCERT allow. This is required for our self-signed LDAP server

7. run collabnet saslauthd

   • mkdir -p /var/state/saslauthd
   • edit /etc/init.d/collabnet_subversion to include /opt/CollabNet_Subversion/sbin/saslauthd -a ldap towards end of start() function
   • stop/start /etc/init.d/collabnet_subverison

note: you can use /opt/CollabNet_Subversion/sbin/testsaslauthd -u <userid> -p <password> to test sasl connection to ldap

A bit involved, but for me, it allows our clients to connect to svn:// using their ldap passwords.