1、簡單介紹:
這里需要介紹一點的就是svn服務器的驗證是需要通過SASL機制的,那么SASL全稱為(Simple Authentication and security Layer),是一種用來擴充C/S模式驗證能力的機制。
SASL是一個膠合庫,通過這個庫把應用層與形式多樣的認證系統整合在一起,這有點類似於PAM,但是后者是認證方式,決定什么人可以訪問什么服務,而SASL是認證過程,側重於信任建立過程,這個過程可以調用PAM來建立信任關系。
1.1、安裝:
[root@ldap-server ~]# yum -y install sasl* #安裝sasl [root@ldap-server ~]# rpm -qa |grep sasl #查看安裝的軟件 saslwrapper-0.14-1.el6.x86_64 cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-devel-2.1.23-13.el6_3.1.x86_64 saslwrapper-devel-0.14-1.el6.x86_64 cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64 [root@ldap-server ~]# saslauthd -v #查看sasl支持的東西 saslauthd 2.1.23 authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap [root@ldap-server ~]# grep -i mech /etc/sysconfig/saslauthd #過濾需要修改 的內容 # Mechanism to use when checking passwords. Run "saslauthd -v" to get a list # of which mechanism your installation was compiled with the ablity to use. MECH=pam # Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line. [root@ldap-server ~]# sed -i "s#MECH=pam#MECH=shadow#g" /etc/sysconfig/saslauthd #修改需要的內容 [root@ldap-server ~]# grep -i mech /etc/sysconfig/saslauthd #查看修改后的 結果 # Mechanism to use when checking passwords. Run "saslauthd -v" to get a list # of which mechanism your installation was compiled with the ablity to use. MECH=shadow # Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line. [root@ldap-server ~]# /etc/init.d/saslauthd start #啟動sasl Starting saslauthd: [ OK ]
[root@ldap-server ~]# ps -ef|grep sasl #查看啟動后的進程 root 20549 1 0 09:35 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow root 20551 20549 0 09:35 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow root 20552 20549 0 09:35 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow root 20553 20549 0 09:35 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow root 20554 20549 0 09:35 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow
1.2、測試認證系統用戶(可以不用操作):
[root@ldap-server ~]# useradd xyyp #創建系統用戶
[root@ldap-server ~]# passwd xyyp #設置密碼
[root@ldap-server ~]# testsaslauthd -uxyyp -p123123 #認證用戶
0: NO "authentication failed" #這里明明創建了系統用戶並且/etc/sysconfig/saslauthd里面的pam也改成了shadow,但還是認證失敗,這里需要使用命令:setsebool -P allow_saslauthd_read_shadow 1
[root@ldap-server ~]# testsaslauthd -uxyyp -p123123 #再次認證用戶
0: OK "Success."
1.3、切換成ldap認證:
[root@ldap-server ~]# sed -i "s#MECH=shadow#MECH=ldap#g" /etc/sysconfig/saslauthd #把shadow改為ldap
[root@ldap-server ~]# /etc/init.d/saslauthd restart #重啟服務
Stopping saslauthd: [ OK ]
Starting saslauthd: [ OK ]
[root@ldap-server ~]# grep -i mech /etc/sysconfig/saslauthd #查看結果
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=ldap
# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.
[root@ldap-server ~]# vim /etc/saslauthd.conf #編輯配置文件添加下面內容
ldap_sercers: ldap://xyanp.org/
#ldap_uri: ldap://ldap.xyp.xyanp.org/
#ldap_version: 3
#ldap_start_tls: 0
ldap_bind_dn: cn=admin,dc=xyanp,dc=org
ldap_bind_pw: xyp
ldap_search_base: ou=People,dc=xyanp,dc=org
ldap_filter: uid=%U
#ldap_filter: mail=%U@xyanp.org
ldap_password_attr: userPassword
#ldap_sasl: 0
"/etc/saslauthd.conf" 12L, 327C written
[root@ldap-server ~]# /etc/init.d/saslauthd restart #重啟服務
Stopping saslauthd: [ OK ]
Starting saslauthd: [ OK ]
[root@ldap-server ~]# testsaslauthd -uxyp -p123456 #測試認證ldap的用戶
0: OK "Success."
搭建svn服務器,並保證能正常運行(不在詳細贅述)。
用ldap的用戶對svn進行測試:
[root@ldap-server svndata]# svn up svn://10.10.10.90/asdoc ./ --username=xyp --password=123456 #將svn賬戶換成ldap里的用戶和密碼 svn: warning: cannot set LC_CTYPE locale svn: warning: environment variable LANG is EN svn: warning: please check that your locale name is correct Skipped 'svn://10.10.10.90/asdoc' Authentication realm: <svn://10.10.10.90:3690> 5a20e44e-42c6-42cb-841a-590b02c4e94d Username: #會提示輸入用戶名和密碼,證明ldap的用戶是不好使的 [root@ldap-server svndata]# vim /etc/sasl2/svn.conf #編輯一個配置文件,添加下面內容 pwcheck_method: saslauthd mech_list: PLAIN LOGIN [root@ldap-server asdoc]# cd /app/svndata/asdoc/conf/ #切換到svn的配置目錄 [root@ldap-server conf]# sed -i "s/# use-sasl = true/use-sasl = true/g" svnserve.conf #修改一個參數 [root@ldap-server conf]# grep use-sasl svnserve.conf #查看修改結果 use-sasl = true [root@ldap-server conf]# pkill svn #殺掉svn [root@ldap-server conf]# ps -ef|grep svn #查看 root 20847 8217 0 11:03 pts/0 00:00:00 grep svn [root@ldap-server conf]# svnserve -d -r /app/svndata/ #重新啟動svn [root@ldap-server conf]# ps -ef|grep svn #查看結果 root 20849 1 0 11:03 ? 00:00:00 svnserve -d -r /app/svndata/ root 20851 8217 0 11:03 pts/0 00:00:00 grep svn [root@ldap-server conf]# svn co svn://10.10.10.90/asdoc /svndata --username=xyp --password=123456 #使用ldap的用戶名密碼做同步 ----------------------------------------------------------------------- ATTENTION! Your password for authentication realm:
<svn://10.10.10.90:3690> 5a20e44e-42c6-42cb-841a-590b02c4e94d
can only be stored to disk unencrypted! You are advised to configure your system so that Subversion can store passwords encrypted, if possible. See the documentation for details. You can avoid future appearances of this warning by setting the value of the 'store-plaintext-passwords' option to either 'yes' or 'no' in '/root/.subversion/servers'. ----------------------------------------------------------------------- Store password unencrypted (yes/no)? yes #提示讓保存密碼,表示成功
1.4、windows客戶端測試:
新建一個文件夾,右鍵進行checkout,彈出下面對話框:
=================================================================================到此ldap驗 證svn完成
1.5、備注:
雖然ldap認證成功了,但是svn的用戶管理還是要在authz這個文件里面進行管理的,比如權限,如果再ldap上創建了一個用戶,則需要在authz文件里面進行授權r或w權限,如果多個用戶的話,則可以建個組,直接給組授權。