通常情况下,用户访问SVN服务器分成验证和授权两个部分,SVN本身内置了验证和授权的机制,默认是使用明文,可以使用其他模块做成加密,但这种方式非常繁琐,最终的效果也不尽如人意。所幸SVN提供了对sasl的支持,这样,对于用户的验证和授权,我们就有了更多的选择。
什么是SASL?我在Subversion官方文档上找到这样一段介绍:
What Is SASL?
The Cyrus Simple Authentication and Security Layer is open source software written by Carnegie Mellon University. It adds generic authentication and encryption capabilities to any network protocol, and as of Subversion 1.5 and later, both the svnserve server and svn client know how to make use of this library. It may or may not be available to you: if you're building Subversion yourself, you'll need to have at least version 2.1 of SASL installed on your system, and you'll need to make sure that it's detected during Subversion's build process. If you're using a prebuilt Subversion binary package, you'll have to check with the package maintainer as to whether SASL support was compiled in. SASL comes with a number of pluggable modules that represent different authentication systems: Kerberos (GSSAPI), NTLM, One-Time-Passwords (OTP), DIGEST-MD5, LDAP, Secure-Remote-Password (SRP), and others. Certain mechanisms may or may not be available to you; be sure to check which modules are provided.You can download Cyrus SASL (both code and documentation) from http://asg.web.cmu.edu/sasl/sasl-library.html.
大意是,简单认证与安全层是卡内基梅隆大学出品的一个开源软件(准确的说,是John Gardiner Myers写的),它将通用的身份验证和加密功能添加到任何网络协议,从1.5版本以后,Subversion(这是SVN的全称……)服务端和客户端都知道如何使用这个库。以下情况将决定SASL是否可用:如果你打算自行编译SVN并使SASL可用,那么必须安装2.1或者更高的SASL版本,并且保证在编译期间,你安装的SASL能被编译进程检测到。如果你使用预先编译好的二进制包,你需要联系维护者确定SASL特性支持已经被编译进去了。SASL使用各种模块来对应不同的身份验证系统:Kerberos (GSSAPI), NTLM, One-Time-Passwords (OTP), DIGEST-MD5, LDAP, Secure-Remote-Password (SRP)等,某种验证机制是否可用,取决于你是否拥有这种机制对应的模块。你可以从 http://asg.web.cmu.edu/sasl/sasl-library.html 下载Cyrus SASL。
基本的介绍就写到这里,下面展示如何安装并配置SVNSASL,使得SVN通过sasl使用LDAP身份验证。基于CentOS7。
1.安装相关组件:
yum install -y subversion cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain
2.查看SASL版本和提供的验证模块:
[root@localhost ~]# saslauthd -v saslauthd 2.1.26 authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap httpform #此处提供了对LDAP的支持。
3.修改sasl的用户验证方式为ldap:
cp /etc/sysconfig/saslauthd /etc/sysconfig/saslauthd.save sed -i 's/MECH=pam/MECH=DHCP' /etc/sysconfig/saslauthd.save
4.修改sasl配置文件/etc/saslauthd.conf,如果配置文件不存在,新建一个:
ldap_servers: ldap://ldapserver #填写你的服务器,域名或者IP均可,前提是你的DNS能正常工作 ldap_default_domain:domain.com #默认域名 ldap_search_base:DC=domain,dc=com # ldap_bind_dn:domain/user ldap_password:password ldap_deref: never ldap_restart: yes ldap_scope: sub ldap_use_sasl: no ldap_start_tls: no ldap_version: 3 ldap_auth_method: bind ldap_mech: DIGEST-MD5 ldap_filter:sAMAccountName=%u ldap_password_attr:userPassword ldap_timeout: 10 ldap_cache_ttl: 30 ldap_cache_mem: 32786 此处是填写的LDAP协议的各个要素。
5.重启sasl服务以应用配置文件并测试是否通过:
systemctl restart saslauthd.service testsaslauthd -u user -p 'password' #分别替换就是了。
6.修改SVN的sasl配置文件/etc/sasl/svn.conf,同样,如果配置文件不存在,新建一个:
vi /etc/sasl2/svn.conf pwcheck_method:saslauthd #用户验证方法 mech_list: plain login #用户验证信息怎么传输
7.修改版本库的配置:
vi /yourrepository/conf/svnserve.conf [general] anon-access = none auth-access = write # password-db = passwd #关闭passwd authz-db = authz #如果要对版本库进行权限控制,开启authz [sasl] use-sasl = true #开启sasl用户验证
8.重启SVN,测试一下即可。重启SVN的时候要使用 -d -r参数指定仓库。授权部分就很简单了。按照
[/path] username = r username = rw #没写就是没权限……用@符号表示用户组,用户组的创建就是 groupname = user1,user2,