前言
SVN架构:
用户访问SVN服务器分为两个部分:认证与授权。
SVN内置了有认证与授权机制,其认证是通过SVN仓库内的passwd文件提供,但它是明文、静态的,不方便且安全性低。
SVN还支持外部的认证,比如SASL,HTTP等。本文介绍使用SASL+LDAP认证。
原理介绍:
SASL全称是Cyrus Simple Authentication and Security Layer,它支持包括LDAP在内的多种认证方式,如Kerberos(GSSAPI), NTLM, One-Time-Passwords(OTP), DIGEST-MD5, Secure-Remote-Password(SRP)等。
步骤
准备内容:
SVN服务器
SVN服务端,是一台CentOS 7.9。
安装包:
[root@computing-host-001 ~]# yum install -y subversion cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain
配置cyrus-sasl:
[root@computing-host-001 ~]# cat > /etc/saslauthd.conf << EOF ldap_servers: ldaps://ipa-server-001.icinfra.cn ldap_mech: PLAIN ldap_search_base: cn=users,cn=accounts,dc=icinfra,dc=cn #ldap_filter: (cn=%u) ldap_filter: (uid=%u) ldap_bind_dn: uid=wanlinwang,cn=users,cn=accounts,dc=icinfra,dc=cn ldap_password: 123456 EOF [root@computing-host-001 ~]# cat /etc/sysconfig/saslauthd # Directory in which to place saslauthd's listening socket, pid file, and so # on. This directory must already exist. SOCKETDIR=/run/saslauthd # Mechanism to use when checking passwords. Run "saslauthd -v" to get a list # of which mechanism your installation was compiled with the ablity to use. MECH=ldap # Additional flags to pass to saslauthd on the command line. See saslauthd(8) # for the list of accepted flags. FLAGS= [root@computing-host-001 ~]#
验证,其中123456是正确的LDAP密码,而1234567是错误的,
[root@computing-host-001 ~]# testsaslauthd -u wanlinwang -p 123456 0: OK "Success." [root@computing-host-001 ~]# testsaslauthd -u wanlinwang -p 1234567 0: NO "authentication failed"
修改SVN的SASL配置:
[root@computing-host-001 ~]# cat /etc/sasl2/svn.conf pwcheck_method: saslauthd #auxprop_plugin: ldap mech_list: plain login cram-md5 digest-md5
svn仓库配置:
[root@computing-host-001 ~]# svnadmin create --fs-type fsfs svn_repo [root@computing-host-001 ~]# cat svn_repo/conf/svnserve.conf| grep -Ev '^\s*#' [general] anon-access = none auth-access = write authz-db = authz [sasl] use-sasl = true [root@computing-host-001 ~]# cat svn_repo/conf/authz| grep -Ev '^\s*#' [aliases] [groups] [/] wanlinwang = rw [root@computing-host-001 ~]# svnserve -d -r ~/svn_repo --listen-port 8888 [root@computing-host-001 ~]# ps -ef| grep svns root 2815 1 0 10:40 ? 00:00:00 svnserve -d -r /root/svn_repo --listen-port 8888 root 2846 2506 0 10:42 pts/2 00:00:00 grep --color=auto svns
SVN客户端:
在另一台服务器,执行svn checkout并使用LDAP账号密码认证,
[wanlinwang@computing-host-002 ~]$ mkdir svn_working_copy/ [wanlinwang@computing-host-002 ~]$ cd svn_working_copy/ [wanlinwang@computing-host-002 ~/svn_working_copy]$ svn co svn://computing-host-001:8888/ Authentication realm: <svn://computing-host-001:8888> 242544f5-a785-46dc-9773-b79fe3fdd8a1 Password for 'wanlinwang': ----------------------------------------------------------------------- ATTENTION! Your password for authentication realm: <svn://computing-host-001:8888> 242544f5-a785-46dc-9773-b79fe3fdd8a1 can only be stored to disk unencrypted! You are advised to configure your system so that Subversion can store passwords encrypted, if possible. See the documentation for details. You can avoid future appearances of this warning by setting the value of the 'store-plaintext-passwords' option to either 'yes' or 'no' in '/home/wanlinwang/.subversion/servers'. ----------------------------------------------------------------------- Store password unencrypted (yes/no)? yes Checked out revision 0. [wanlinwang@computing-host-002 ~/svn_working_copy]$ echo "First file" > test.txt [wanlinwang@computing-host-002 ~/svn_working_copy]$ svn add test.txt A test.txt [wanlinwang@computing-host-002 ~/svn_working_copy]$ svn ci -m 'Added first file.' Adding test.txt Transmitting file data . Committed revision 1.
参考资料:
https://svnbook.red-bean.com/en/1.7/svn-book.html
https://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt
https://developpaper.com/svn-authentication-and-authorization-using-ldap-protocol/
网友留言: