svn使用openldap验证apache访问方式


启用svn服务器的sasl验证机制

1、安装cyrus-sasl认证包
# yum install -y *sasl*
# rpm -qa|grep sasl
cyrus-sasl-2.1.23-15.el6_6.2.x86_64
ruby-saslwrapper-0.14-1.el6.x86_64
cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-devel-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-gssapi-2.1.23-15.el6_6.2.x86_64
saslwrapper-0.14-1.el6.x86_64
cyrus-sasl-sql-2.1.23-15.el6_6.2.x86_64
python-saslwrapper-0.14-1.el6.x86_64
cyrus-sasl-ldap-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-ntlm-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64
saslwrapper-devel-0.14-1.el6.x86_64


2、修改sasl认证模式为shadow
# cp /etc/sysconfig/saslauthd /etc/sysconfig/saslauthd.bak.$(date +%F%T)
[root@node5 config]# ll /etc/sysconfig/saslauthd*
-rw-r--r-- 1 root root 553 Feb 27  2015 /etc/sysconfig/saslauthd
-rw-r--r-- 1 root root 553 Jul  1 21:14 /etc/sysconfig/saslauthd.bak.
-rw-r--r-- 1 root root 553 Jul  1 21:14 /etc/sysconfig/saslauthd.bak.2016-07-0121:14:19
[root@node5 config]# sed -i 's#MECH=pam#MECH=shadow#g' /etc/sysconfig/saslauthd
[root@node5 config]# grep -i mech /etc/sysconfig/saslauthd
# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=shadow
# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.


3、配置ldap方式验证用户
# /etc/init.d/saslauthd restart
Stopping saslauthd:                                        [FAILED]
Starting saslauthd:                                        [  OK  ]
[root@node5 config]# testsaslauthd -ulily -plily
0: NO "authentication failed"
[root@node5 config]# grep lily /etc/passwd
[root@node5 config]# id lily
id: lily: No such user
[root@node5 config]# useradd lily
[root@node5 config]# passwd lily
Changing password for user lily.
New password: 
BAD PASSWORD: it is too short
BAD PASSWORD: is too simple
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@node5 config]# testsaslauthd -ulily -plily
0: OK "Success."
# testsaslauthd -utom -ptom
0: NO "authentication failed"


修改验证模式为ldap
# sed -i 's#MECH=shadow#MECH=ldap#g' /etc/sysconfig/saslauthd
[root@node5 config]# grep -i mech /etc/sysconfig/saslauthd
# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=ldap
# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.


编辑saslauthd.conf文件,默认不存在,需要自己添加
vim /etc/saslauthd.conf 加入如下内容:
ldap_servers: ldap://chinasoft.com/
ldap_bind_dn: cn=admin,dc=chinasoft,dc=com
ldap_bind_pw: chinasoft
ldap_search_base: ou=People,dc=chinasoft,dc=com
ldap_filter: uid=%U
ldap_password_attr: userPassword


# /etc/init.d/saslauthd restart
Stopping saslauthd:                                        [  OK  ]
Starting saslauthd:                                        [  OK  ]


# testsaslauthd -ulily -plily
0: OK "Success."
[root@node5 config]# testsaslauthd -utom -ptom
0: OK "Success."


4、配置svn通过ldap验证
在ldap服务器中添加svn.conf文件,默认没有该文件,需要自己添加
# vim /etc/sasl2/svn.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN


svn服务器中修改svn服务器配置
# cd /application/svndata/sadoc/conf/
# sed -i 's@# use-sasl = true@use-sasl = true@g' svnserve.conf
# grep use-sasl svnserve.conf
use-sasl = true
[root@node2 conf]# /etc/init.d/svnserve stop
[root@node2 conf]# pkill svnserve
[root@node2 conf]# lsof -i :3690
启动服务
[root@node2 conf]# svnserve -d -r /application/svndata/
[root@node2 conf]# lsof -i :3690
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
svnserve 35415 root    3u  IPv4 557724      0t0  TCP *:svn (LISTEN)


修改svn服务器apache配置
# vim /etc/httpd/confhttpd.conf


<Location /svn>
    # SVN配置
    DAV svn
    SVNPath /application/svndata/sadoc/
    SVNListParentPath on
    AuthType Basic
    AuthName "svn for project"
    AuthUserFile /application/svnpasswd/webpasswd
    AuthzSVNAccessFile /application/svnpasswd/authz
    Satisfy all
    Require valid-user


    # 在ldap找不到账号的情况下可以使用其它的认证方式(如,密码文件)
    AuthzLDAPAuthoritative off
    # openLDAP的管理账户
    AuthLDAPBindDN "cn=admin,dc=chinasoft,dc=com"
    AuthLDAPBindPassword chinasoft


    AuthBasicProvider ldap
    # 认证数据来源:"ou=People,dc=chinasoft,dc=com" 下所有子entity的uid作为认证用户名
    AuthLDAPURL "ldap://192.168.8.43:389/ou=People,dc=chinasoft,dc=com?uid?sub?(objectClass=*)"


    # 设置目录权限,实现列表所有工程目录
    Options Indexes FollowSymLinks
    Order allow,deny
    Allow from all
</Location>


查看错误日志定位问题:
# tail /var/log/httpd/error_log
[Tue Jul 05 14:40:18 2016] [error] [client 192.168.50.122] user lily: authentication failure for "/svn/": Password Mismatch
[Tue Jul 05 14:40:23 2016] [notice] caught SIGTERM, shutting down
[Tue Jul 05 14:40:23 2016] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Jul 05 14:40:23 2016] [notice] Digest: generating secret for digest authentication ...
[Tue Jul 05 14:40:23 2016] [notice] Digest: done
[Tue Jul 05 14:40:23 2016] [notice] Apache/2.2.15 (Unix) DAV/2 SVN/1.6.11 configured -- resuming normal operations
[Tue Jul 05 14:40:26 2016] [error] [client 192.168.50.122] user lily: authentication failure for "/svn/": Password Mismatch
[Tue Jul 05 14:40:38 2016] [error] [client 192.168.50.122] user lily: authentication failure for "/svn/": Password Mismatch
[Tue Jul 05 14:40:40 2016] [error] [client 192.168.50.122] File does not exist: /var/www/html/favicon.ico
[Tue Jul 05 14:40:45 2016] [error] [client 192.168.50.122] user lily: authentication failure for "/svn/": Password Mismatch


svn通过ldap验证小结:
1.配置成功saslauthd
2.在ldap服务器中配置/etc/sasl2/svn.conf
3.配置好svn服务,并且开启sasl支持,重启svn

4.配置authz授权ldap用户访问项目


5.配置httpd.conf授权通过ldap访问


注意:
通过ldap认证的用户,必须在svn和ldap中添加相同账号,并且密码必须一致,否则无法访问
posted @ 2016-07-05 14:56  reblue520  阅读(596)  评论(0编辑  收藏  举报