Linux环境使用AD验证SVN用户
使用AD作为验证SVN用户的方式有很大的好处,最主要的是不需要为SVN单独创建用户了,最终用户也只需要记住域用户和密码即可。但这种方式还是无法无天解决授权的问题,仍然需要通过authz文件来定义哪些目录开放给哪些域组或域用户。
下面是配置SVN的linux服务器来支持AD验证的过程:
1. preparing. 准备工作
* confirm AD connection is OK. 确认AD的连接正常。
*所有文件内容可参见附件。
/etc/hosts
192.168.18.104 demo
192.168.18.104 demo.home.com
/etc/resolv.conf
nameserver 192.168.18.104
* start svn
sudo svnserve -d -r /testsvn
sudo svnserve -d -r /testsvn/repos
- It will be report error when run "svn ls svn://xxx/repos": svn: 服务器报告认证错误: SASL(-1): generic failure: checkpass failed
2. follow steps of http://michaelcamden.me/?p=27 or "SVN Authentication using svnserve sasl ldap.docx"
example of config files
*/testsvn/repos/conf/svnserve.conf
[general]
anon-access = none
auth-access = write
[sasl]
use-sasl = true
*/usr/lib/sasl2/svn.conf
pwcheck_method: saslauthd
auxprop_plugin: ldap
mech_list: PLAIN LOGIN
ldapdb_mech: PLAIN LOGIN
*/etc/default/saslauthd
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"
*/etc/saslauthd.conf
ldap_servers: ldap://demo.home.com
ldap_default_domain: demo.home.com
ldap_search_base:DC=demo,DC=home,DC=com
ldap_bind_dn: CN=administrator,CN=Users,DC=demo,DC=home,DC=com
ldap_password: Windows2k
ldap_use_sasl: no
ldap_mech: PLAIN
ldap_auth_method: bind
ldap_filter: sAMAccountName=%u
3. check commands
*restart sasl service:
sudo /etc/init.d/saslauthd restart
*test ldap search
ldapsearch -x -w Windows2k -D "cn=william,cn=Users,DC=demo,DC=home,DC=com" -b 'cn=william,CN=Users,DC=demo,DC=home,DC=com' -h demo.home.com
# extended LDIF
#
# LDAPv3
# base <cn=william,CN=Users,DC=demo,DC=home,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# william, Users, demo.home.com
dn: CN=william,CN=Users,DC=demo,DC=home,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: william
distinguishedName: CN=william,CN=Users,DC=demo,DC=home,DC=com
instanceType: 4
whenCreated: 20090507194733.0Z
whenChanged: 20110716162211.0Z
displayName: william
uSNCreated: 13948
uSNChanged: 167984
name: william
objectGUID:: Y6QNKtXBmUKIxwq2ECTquw==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 129553304504218750
lastLogoff: 0
lastLogon: 129553304724375000
pwdLastSet: 129553069315156250
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAyWTYl9QXgiiGOMgsVwQAAA==
accountExpires: 9223372036854775807
logonCount: 53
sAMAccountName: william
sAMAccountType: 805306368
userPrincipalName: william@demo.home.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=demo,DC=home,DC=com
mail: william@demo.home.com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
*Login to repository:
tanghs@ubuntu:/testsvn/repos/conf$ sudo svn ls svn://192.168.18.109/repos
认证领域: <svn://192.168.18.109:3690> 2c49c88d-208a-44ad-aab8-34e66158eaaa
“root”的密码:
认证领域: <svn://192.168.18.109:3690> 2c49c88d-208a-44ad-aab8-34e66158eaaa
用户名: william
“william”的密码:
-----------------------------------------------------------------------
注意! 你的密码,对于认证域:
<svn://192.168.18.109:3690> 2c49c88d-208a-44ad-aab8-34e66158eaaa
只能明文保存在磁盘上! 如果可能的话,请考虑配置你的系统,让 Subversion
可以保存加密后的密码。请参阅文档以获得详细信息。
你可以通过在“/home/tanghs/.subversion/servers”中设置选项“store-plaintext-passwords”为“yes”或“no”,
来避免再次出现此警告。
-----------------------------------------------------------------------
保存未加密的密码(yes/no)? y
请输入 'yes' 或 'no': yes
tanghs-test1/
test.txt