启用svn服务器的sasl验证机制
1、安装cyrus-sasl认证包
# yum install -y *sasl*
# rpm -qa|grep sasl
cyrus-sasl-2.1.23-15.el6_6.2.x86_64
ruby-saslwrapper-0.14-1.el6.x86_64
cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-devel-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-gssapi-2.1.23-15.el6_6.2.x86_64
saslwrapper-0.14-1.el6.x86_64
cyrus-sasl-sql-2.1.23-15.el6_6.2.x86_64
python-saslwrapper-0.14-1.el6.x86_64
cyrus-sasl-ldap-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-ntlm-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64
saslwrapper-devel-0.14-1.el6.x86_64
2、修改sasl认证模式为shadow
# cp /etc/sysconfig/saslauthd /etc/sysconfig/saslauthd.bak.$(date +%F%T)
[root@node5 config]# ll /etc/sysconfig/saslauthd*
-rw-r--r-- 1 root root 553 Feb 27 2015 /etc/sysconfig/saslauthd
-rw-r--r-- 1 root root 553 Jul 1 21:14 /etc/sysconfig/saslauthd.bak.
-rw-r--r-- 1 root root 553 Jul 1 21:14 /etc/sysconfig/saslauthd.bak.2016-07-0121:14:19
[root@node5 config]# sed -i 's#MECH=pam#MECH=shadow#g' /etc/sysconfig/saslauthd
[root@node5 config]# grep -i mech /etc/sysconfig/saslauthd
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=shadow
# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.
3、配置ldap方式验证用户
# /etc/init.d/saslauthd restart
Stopping saslauthd: [FAILED]
Starting saslauthd: [ OK ]
[root@node5 config]# testsaslauthd -ulily -plily
0: NO "authentication failed"
[root@node5 config]# grep lily /etc/passwd
[root@node5 config]# id lily
id: lily: No such user
[root@node5 config]# useradd lily
[root@node5 config]# passwd lily
Changing password for user lily.
New password:
BAD PASSWORD: it is too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@node5 config]# testsaslauthd -ulily -plily
0: OK "Success."
# testsaslauthd -utom -ptom
0: NO "authentication failed"
修改验证模式为ldap
# sed -i 's#MECH=shadow#MECH=ldap#g' /etc/sysconfig/saslauthd
[root@node5 config]# grep -i mech /etc/sysconfig/saslauthd
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=ldap
# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.
编辑saslauthd.conf文件,默认不存在,需要自己添加
vim /etc/saslauthd.conf 加入如下内容:
ldap_servers: ldap://chinasoft.com/
ldap_bind_dn: cn=admin,dc=chinasoft,dc=com
ldap_bind_pw: chinasoft
ldap_search_base: ou=People,dc=chinasoft,dc=com
ldap_filter: uid=%U
ldap_password_attr: userPassword
# /etc/init.d/saslauthd restart
Stopping saslauthd: [ OK ]
Starting saslauthd: [ OK ]
# testsaslauthd -ulily -plily
0: OK "Success."
[root@node5 config]# testsaslauthd -utom -ptom
0: OK "Success."
4、配置svn通过ldap验证
在ldap服务器中添加svn.conf文件,默认没有该文件,需要自己添加
# vim /etc/sasl2/svn.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
svn服务器中修改svn服务器配置
# cd /application/svndata/sadoc/conf/
# sed -i 's@# use-sasl = true@use-sasl = true@g' svnserve.conf
# grep use-sasl svnserve.conf
use-sasl = true
[root@node2 conf]# /etc/init.d/svnserve stop
[root@node2 conf]# pkill svnserve
[root@node2 conf]# lsof -i :3690
启动服务
[root@node2 conf]# svnserve -d -r /application/svndata/
[root@node2 conf]# lsof -i :3690
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
svnserve 35415 root 3u IPv4 557724 0t0 TCP *:svn (LISTEN)
修改svn服务器apache配置
# vim /etc/httpd/confhttpd.conf
<Location /svn>
# SVN配置
DAV svn
SVNPath /application/svndata/sadoc/
SVNListParentPath on
AuthType Basic
AuthName "svn for project"
AuthUserFile /application/svnpasswd/webpasswd
AuthzSVNAccessFile /application/svnpasswd/authz
Satisfy all
Require valid-user
# 在ldap找不到账号的情况下可以使用其它的认证方式(如,密码文件)
AuthzLDAPAuthoritative off
# openLDAP的管理账户
AuthLDAPBindDN "cn=admin,dc=chinasoft,dc=com"
AuthLDAPBindPassword chinasoft
AuthBasicProvider ldap
# 认证数据来源:"ou=People,dc=chinasoft,dc=com" 下所有子entity的uid作为认证用户名
AuthLDAPURL "ldap://192.168.8.43:389/ou=People,dc=chinasoft,dc=com?uid?sub?(objectClass=*)"
# 设置目录权限,实现列表所有工程目录
Options Indexes FollowSymLinks
Order allow,deny
Allow from all
</Location>
查看错误日志定位问题:
# tail /var/log/httpd/error_log
[Tue Jul 05 14:40:18 2016] [error] [client 192.168.50.122] user lily: authentication failure for "/svn/": Password Mismatch
[Tue Jul 05 14:40:23 2016] [notice] caught SIGTERM, shutting down
[Tue Jul 05 14:40:23 2016] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Jul 05 14:40:23 2016] [notice] Digest: generating secret for digest authentication ...
[Tue Jul 05 14:40:23 2016] [notice] Digest: done
[Tue Jul 05 14:40:23 2016] [notice] Apache/2.2.15 (Unix) DAV/2 SVN/1.6.11 configured -- resuming normal operations
[Tue Jul 05 14:40:26 2016] [error] [client 192.168.50.122] user lily: authentication failure for "/svn/": Password Mismatch
[Tue Jul 05 14:40:38 2016] [error] [client 192.168.50.122] user lily: authentication failure for "/svn/": Password Mismatch
[Tue Jul 05 14:40:40 2016] [error] [client 192.168.50.122] File does not exist: /var/www/html/favicon.ico
[Tue Jul 05 14:40:45 2016] [error] [client 192.168.50.122] user lily: authentication failure for "/svn/": Password Mismatch
svn通过ldap验证小结:
1.配置成功saslauthd
2.在ldap服务器中配置/etc/sasl2/svn.conf
3.配置好svn服务,并且开启sasl支持,重启svn
4.配置authz授权ldap用户访问项目
5.配置httpd.conf授权通过ldap访问
注意:
通过ldap认证的用户,必须在svn和ldap中添加相同账号,并且密码必须一致,否则无法访问