Svn: E210007: Cannot negotiate authentication mechanism Svnsync: E210007: Cannot negotiate authentication mechanism The world r-x on /var/run/saslauthd allows the mux socket /var/run/saslauthd/mux to be accessed by the svnserve daemon This means that the svnserve daemon is unable to authenticate against the sasl server, it might be related to permissions of the saslauthd daemon which on FreeBSD the socket is at /var/run/saslauthd/mux where the permissions should be srwxrwxrwx ls -ld /var/run/saslauthdĭrwxr-x- 2 cyrus cyrus 512 3 Sep 04:27 /var/run/saslauthd chmod 755 /var/run/saslauthd ls -ld /var/run/saslauthdĭrwxr-xr-x 2 cyrus cyrus 512 3 Sep 04:28 /var/run/saslauthd
Svn: E170001: Authentication error from server: SASL(-1): generic failure: Password verification failedĪlso if your svnserve.log shows 'Network connection closed unexpectedly', this could be an indication that the sasl authentication daemon is running but the socket is not visible. Svnsync: E170001: Authentication error from server: SASL(-1): generic failure: Password verification failed Svnsync: E170001: Unable to connect to a repository at URL Restarting the svnserve daemon and you should now be authenticating against ldap. Then the Subversion daemon svnserve is run with the -config-file=/path/to/nf Subversion needs to be compiled with -with-sasl and the svnserve configuration file nf needs the following sasl entry: Here there is no connection to the saslauthd daemon, check that the daemon is running and permissions to the socket are readable. Showing that the user has successfully connected and the authentication has failed, more information is may be available in /var/log/security. Showing that the user has successfully authenticated. The SASL authentication server can be tested with testsaslauthd -u igor -p secret and should return one of the following responses Ldap_filter: (&(uid=%U)(authorizedService=%s)) SASL authentication server testing Ldap_bind_dn: uid=searchuser,dc=example,dc=com This example uses the authorizedService attribute offered by ldapns.schema to check that a user has an attribute 'authorizedService: svn'. This is more flexible by searching using filters, it is slightly slower as it binds as the search user, searches for the user using the ldap_filter then if found binds for a second time as that user. Ldap_filter: uid=%U,dc=example,dc=com Binding using bind The ldap_filter is used to specify the Distinguished Name to bind as the user.
This is the simplest and fastest of the two and binds using the supplied username and password. There are three authentication methods available, though in this guide only bind and fastbind are shown. Mech_list: PLAIN LOGIN SASL authentication server configuration This svn.conf configuration contains two lines, pwcheck_method to specify the password checking mechanism, in this case specifying the saslauthd daemon and mech_list to specify the allowed mechanisms allowed and for LDAP the plaintext password is required so either or both of PLAIN and LOGIN can be used. In our case the application is svnserve and is identified by svn so on FreeBSD the file will be found at /usr/local/lib/sasl2/svn.conf. SASL configurationīy default, the Cyrus SASL library reads it's options from /usr/lib/sasl2/App.conf (where "App" is the application defined name of the application).
SASL setup is straightforward and for this example requires two configuration files, one in the SASL library with the service name and the second for the saslauthd daemon. This guide assumes a working LDAP server, SASL authentication server and Subversion server. The operating system is FreeBSD though any unix/linux system should be able to use this guide by adjusting file locations where necessary. Versions tested in compiling this guide are Subversion 1.7 & 1.8, Cyrus SASL 2.1 and Open LDAP 2.4.
SASL the Simple Authentication Security Layer is available to svnserve the Subversion version control server and allows authentication and authorization through many mechanisms including LDAP.
This How To offers simple guidance and working examples on how to configure svnserve and Cyrus SASL to authenticate svn and svnserve against OpenLDAP, it may also be helpful in configuring any SASL enabled client to authenticate against LDAP.Īuthenticating using svn and svnserve with ldap is straightforward and facilitates single sign on. HOW-TO svn and LDAP with the subversion svnserve and SASL