Linux环境使用AD验证SVN用户

在Windows环境,可以使用VirsualSVN直接实现类似功能,但Linux环境没有现成的功能,下面的文章提供了一种经过验证的实现方法!

使用AD作为验证SVN用户的方式有很大的好处,最主要的是不需要为SVN单独创建用户了,最终用户也只需要记住域用户和密码即可。但这种方式还是无法无天解决授权的问题,仍然需要通过authz文件来定义哪些目录开放给哪些域组或域用户。

下面是配置SVN的linux服务器来支持AD验证的过程:

1. preparing. 准备工作
* confirm AD connection is OK. 确认AD的连接正常。

*所有文件内容可参见附件。

/etc/hosts
192.168.18.104  demo
192.168.18.104  demo.home.com

/etc/resolv.conf
nameserver 192.168.18.104

* start svn
sudo svnserve -d -r /testsvn

sudo svnserve -d -r /testsvn/repos
 - It will be report error when run "svn ls svn://xxx/repos": svn: 服务器报告认证错误: SASL(-1): generic failure: checkpass failed

2. follow steps of http://michaelcamden.me/?p=27 or "SVN Authentication using svnserve sasl ldap.docx"
example of config files
*/testsvn/repos/conf/svnserve.conf
[general]
anon-access = none
auth-access = write
[sasl]
use-sasl = true

*/usr/lib/sasl2/svn.conf
pwcheck_method: saslauthd
auxprop_plugin: ldap
mech_list: PLAIN LOGIN
ldapdb_mech: PLAIN LOGIN

*/etc/default/saslauthd
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"

*/etc/saslauthd.conf
ldap_servers: ldap://demo.home.com

ldap_default_domain: demo.home.com

ldap_search_base:DC=demo,DC=home,DC=com

ldap_bind_dn: CN=administrator,CN=Users,DC=demo,DC=home,DC=com

ldap_password: Windows2k
ldap_use_sasl: no
ldap_mech: PLAIN

ldap_auth_method: bind

ldap_filter: sAMAccountName=%u

3. check commands
*restart sasl service:
sudo /etc/init.d/saslauthd restart

*test ldap search
ldapsearch -x -w Windows2k -D "cn=william,cn=Users,DC=demo,DC=home,DC=com" -b 'cn=william,CN=Users,DC=demo,DC=home,DC=com' -h demo.home.com
# extended LDIF
#
# LDAPv3
# base <cn=william,CN=Users,DC=demo,DC=home,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# william, Users, demo.home.com
dn: CN=william,CN=Users,DC=demo,DC=home,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: william
distinguishedName: CN=william,CN=Users,DC=demo,DC=home,DC=com
instanceType: 4
whenCreated: 20090507194733.0Z
whenChanged: 20110716162211.0Z
displayName: william
uSNCreated: 13948
uSNChanged: 167984
name: william
objectGUID:: Y6QNKtXBmUKIxwq2ECTquw==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 129553304504218750
lastLogoff: 0
lastLogon: 129553304724375000
pwdLastSet: 129553069315156250
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAyWTYl9QXgiiGOMgsVwQAAA==
accountExpires: 9223372036854775807
logonCount: 53
sAMAccountName: william
sAMAccountType: 805306368
userPrincipalName: william@demo.home.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=demo,DC=home,DC=com
mail: william@demo.home.com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

*Login to repository:
tanghs@ubuntu:/testsvn/repos/conf$ sudo svn ls svn://192.168.18.109/repos
认证领域: <svn://192.168.18.109:3690> 2c49c88d-208a-44ad-aab8-34e66158eaaa
“root”的密码:
认证领域: <svn://192.168.18.109:3690> 2c49c88d-208a-44ad-aab8-34e66158eaaa
用户名: william
“william”的密码:

-----------------------------------------------------------------------
注意!  你的密码,对于认证域:

   <svn://192.168.18.109:3690> 2c49c88d-208a-44ad-aab8-34e66158eaaa

只能明文保存在磁盘上!  如果可能的话,请考虑配置你的系统,让 Subversion
可以保存加密后的密码。请参阅文档以获得详细信息。

你可以通过在“/home/tanghs/.subversion/servers”中设置选项“store-plaintext-passwords”为“yes”或“no”,
来避免再次出现此警告。
-----------------------------------------------------------------------
保存未加密的密码(yes/no)? y
请输入 'yes' 或 'no': yes
tanghs-test1/
test.txt

posted @ 2011-07-17 15:33  ColorSea  阅读(1702)  评论(0编辑  收藏  举报