我需要配置 svnserve 守护程序以使用 ldap 组对用户进行身份验证。我所有的 svn 存储库都在 CentOS 盒子中。我执行了以下步骤:
1-安装库:
yum install subversion cyrus-sasl cyrus-sasl-ldap cyrus-sasl-plain db4-utils
2- 编辑每个存储库中的 svnserve.conf 以使用 sasl 并将领域名称设置为可以访问此存储库的 ldap 组。
# Disable anonymous access to the repo anon-access = none # Let’s make sure that you are authenticated if you want to write in the repo itself auth-access = write realm = a_goup_dn # Tell Subversion to use SASL for the authentication mechanism use-sasl = true # Make sure that there is no encryption for the authentication mechanism min-encryption = 0
3- 编辑文件 /etc/sasl2/svn.conf 以配置 svnserve sasl 通信。
################################################################### # For CentOS /etc/sasl2/svn.conf # For other distro you may need to put the file here : /usr/lib/sasl2/svn.conf # For other distro the file may also be named subversion.conf instead of svn.conf # Symbolic link may be your friend here to figure out where does this file #need to be and it’s name. # # Password method, use the sasl authentication deamon. pwcheck_method: saslauthd # ## Auxiliary plugin, use ldap auxprop_plugin: ldap # ## Mechanism list, plain text only mech_list: PLAIN ldapdb_mech: PLAIN # EOF #########################################################
4- 编辑文件 /etc/saslauthd.conf 以配置 sasl ldap 通信。这里最重要的是我在 ldap_group_dn 字段中使用 %r 替换,以强制用户属于每个 svnserve.conf 文件中定义的正确 ldap 组。
##/etc/saslauthd.conf # # Your AD server adress #ldap_servers: ldap://192.168.123.68:10389 ldap_servers: ldap://192.168.123.122 # # I love default domain name, I just want to put the username part for #my authentication #not the whole user@domain.local #ldap_default_domain: intech.com # # Where are the users located in the AD? If you haven’t change the default tree of your AD it should be under the Users OU. ldap_search_base: dc=sample,dc=com # # You need a user account to be able to make the authentication in the Active Directory, I suggest you create a user just for that! ldap_bind_dn: cn=manager,dc=sample,dc=com # # Of course there is a password associated with this user, put it here : ldap_bind_pw: ldapuser123 # # Misc options for LDAP to make it work with Microsoft AD. Nothing to change here, move along… ldap_deref: never ldap_restart: yes ldap_scope: sub ldap_use_sasl: no ldap_start_tls: no ldap_version: 3 ldap_auth_method: bind ldap_filter: sAMAccountName=%u ldap_password_attr: userPassword ldap_timeout: 10 ldap_cache_ttl: 30 ldap_cache_mem: 32768 ldap_group_dn: %r dap_group_match_method: filter ldap_group_filter: (uniqueMember=%D) ldap_group_attr: uniqueMember #EOF #########################################################
这似乎可行,但我想知道使用领域名称属性与 ldap 组通信是否有任何负面影响。
提前致谢