2

我需要配置 svnserve 守护程序以使用 ldap 组对用户进行身份验证。我所有的 svn 存储库都在 CentOS 盒子中。我执行了以下步骤:

1-安装库:

yum install subversion cyrus-sasl cyrus-sasl-ldap cyrus-sasl-plain db4-utils

2- 编辑每个存储库中的 svnserve.conf 以使用 sasl 并将领域名称设置为可以访问此存储库的 ldap 组。

# Disable anonymous access to the repo
anon-access = none
# Let’s make sure that you are authenticated if you want to write in the repo itself
auth-access = write
realm = a_goup_dn
# Tell Subversion to use SASL for the authentication mechanism
use-sasl = true
# Make sure that there is no encryption for the authentication mechanism
min-encryption = 0

3- 编辑文件 /etc/sasl2/svn.conf 以配置 svnserve sasl 通信。

###################################################################
# For CentOS /etc/sasl2/svn.conf
# For other distro you may need to put the file here : /usr/lib/sasl2/svn.conf
# For other distro the file may also be named subversion.conf instead of svn.conf
# Symbolic link may be your friend here to figure out where does this file #need to be and it’s name.
#
# Password method, use the sasl authentication deamon.
pwcheck_method: saslauthd
#
## Auxiliary plugin, use ldap
auxprop_plugin: ldap
#
## Mechanism list, plain text only
mech_list: PLAIN
ldapdb_mech: PLAIN
# EOF
#########################################################

4- 编辑文件 /etc/saslauthd.conf 以配置 sasl ldap 通信。这里最重要的是我在 ldap_group_dn 字段中使用 %r 替换,以强制用户属于每个 svnserve.conf 文件中定义的正确 ldap 组。

#
#/etc/saslauthd.conf
#
# Your AD server adress
#ldap_servers: ldap://192.168.123.68:10389
ldap_servers: ldap://192.168.123.122
#
# I love default domain name, I just want to put the username part for #my authentication #not the whole user@domain.local
#ldap_default_domain: intech.com
#
# Where are the users located in the AD?  If you haven’t change the default tree of your AD it should be under the Users OU.
ldap_search_base: dc=sample,dc=com
#
# You need a user account to be able to make the authentication in the Active Directory, I suggest you create a user just for that!
ldap_bind_dn: cn=manager,dc=sample,dc=com

#
# Of course there is a password associated with this user, put it here :
ldap_bind_pw: ldapuser123
#
# Misc options for LDAP to make it work with Microsoft AD.  Nothing to change here, move along…
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind
ldap_filter: sAMAccountName=%u
ldap_password_attr: userPassword
ldap_timeout: 10
ldap_cache_ttl: 30
ldap_cache_mem: 32768
ldap_group_dn: %r
dap_group_match_method: filter
ldap_group_filter: (uniqueMember=%D)
ldap_group_attr:  uniqueMember
#EOF
#########################################################

这似乎可行,但我想知道使用领域名称属性与 ldap 组通信是否有任何负面影响。

提前致谢

4

0 回答 0