Posts tagged ‘cyrus-sasl2’

How to configure Subversion to use Cyrus-SASL2 to authenticate to a MySQL database?

Ok, so I want to have Subversion authentication work from a MySQL database. I am going to try to use Cyrus SASL for this.

I already have instructions for installing the necessary parts:

  1. Install FreeBSD.
    How do I install FreeBSD?

  2. Update FreeBSD and download the ports tree.
    What are the first commands I run after installing FreeBSD

  3. Then install Subversion, however, one difference you need to make to the install instructions for subversion. You need to install with SASL2 support. When you run make install it is an option.
  4. How to install subversion 1.6.6 on FreeBSD 7.2

Ok, now that you have everything is installed, you are were I am and ready to try to get this configured.

Configuring Subversion to use SASL to Authenticate to a MySQL database

  1. Create a simple MySQL database. The following is a simple database creation script that creates a database with one table and two rows.
    CREATE DATABASE UserDB;
    USE UserDB;
    CREATE TABLE `users` ('username' varchar(255), 'password' varchar(255) )
    INSERT INTO users VALUES ('user1','pw1');
    INSERT INTO users VALUES ('user2@MyReal.com','pw2');
    INSERT INTO users VALUES ('user3@myemailaddress.com','pw3');
    

    Note: I use these accounts to show what works and what does not work because the idea of “realms” is confusing.

    You may be asking why I don’t have three rows, one for each item: User, Password, Realm.

    Well, if you really are creating a new database to handle SVN Users then that is how you should do it and here is it is.

    CREATE DATABASE UserDB;
    USE UserDB;
    CREATE TABLE `users` ('username' varchar(255), 'password' varchar(255) , 'realm' varchar(255))
    INSERT INTO users VALUES ('user1','pw1','realm');
    INSERT INTO users VALUES ('user2@MyReal.com','pw2','realm');
    INSERT INTO users VALUES ('user3@myemailaddress.com','pw3','realm');
    

    However, because I am assuming that you want to authenticate to users that are in an already existing database, realm won’t really exist. However, you may have usernames that are in email format, or not in email format an that makes a difference because Subversion splits the username at an @ symbol and the username is only what is before the @ symbol. See the troubleshooting realms section below.

  2. Edit the following file:
    /home/svn/repos/MyApp/conf/svnserve.conf

    # ee /home/svn/repos/MyApp/conf/svnserve.conf

    The following are the lines that should NOT be commented out.

    [general]
    anon-access = none
    auth-access = write
    realm = MyDomain.com

    [sasl]
    use-sasl = true

  3. Create and edit the following file:
    /usr/local/lib/sas2/svn.conf

    # ee /usr/local/lib/sas2/svn.conf

    The following are the lines that should NOT be commented out.

    [general]
    pwcheck_method: auxprop
    mech_list: plain
    auxprop_plugin: sql
    sql_hostnames: localhost
    sql_engine: mysql
    sql_user: root
    sql_passwd: pw
    sql_database: UserDB
    sql_select: SELECT password FROM users WHERE username='%u'

    Note: For debugging add log_level: 7 to this file and then watch the /var/log/debug file.

You should now be able to connect with a client such as TortoiseSVN and connect

Troubleshooting Realms

I found some issues with realms that were really confusing.

Change your /usr/local/lib/sas2/svn.conf file to look like this:

[general]
log_level: 7
pwcheck_method: auxprop
mech_list: plain
auxprop_plugin: sql
sql_hostnames: localhost
sql_engine: mysql
sql_user: root
sql_passwd: pw
sql_database: UserDB
sql_select: SELECT password FROM users WHERE username='%u' or username='%u@%r'

I added two changes:

  1. Turned on logging.
  2. Changes the sql statement to look for username='username' or username='username@realm'

I had to do this because if the user was using an email address, such as john@domain.tld, then it actually makes %u only equal John and seems to drop the @domain.tld and replace it with the name of the realm. However, if your username is John@domain.tld and your realm is domain.tld (so realm and domain are the same), then the code above works. If you domain and realm are not the same, I haven't been able to get this to work.

Go ahead and run this command:

# tail -f -n 30 /var/log/debug

And then try to authenticate using a client, such as TortoiseSVN. Test all three users. You will see the SQL Queries that are run. It should work to authenticate as user1 or User2, but it cannot authenticate user3 because it just doesn't work due to the way it handles realms. If you have users that don't have email address in your realm, then you need them to have username that are not email addresses.

Final Question
If the password is stored as an md5, sha1, sha256 hash in the database, how do I make this work?


Copyright ® Rhyous.com - Linking to this article is allowed without permission and as many as ten lines of this article can be used along with this link. Any other use of this article is allowed only by permission of Rhyous.com.