基于openldap的统一认证方案:
一、编译安装SVN
0:必设
|
0 1 2 3 4 5 6 |
$ setenforce 0 $ systemctl stop firewalld $ uname -a Linux svn.t4x.org 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core) |
1:软件
|
0 1 2 3 4 |
$ wget http://archive.apache.org/dist/apr/apr-1.5.1.tar.gz $ wget http://archive.apache.org/dist/apr/apr-util-1.5.4.tar.gz $ wget http://mirror.bit.edu.cn/apache/subversion/subversion-1.10.2.tar.gz $ wget http://liquidtelecom.dl.sourceforge.net/project/libpng/zlib/1.2.11/zlib-1.2.11.tar.gz $ wget https://www.sqlite.org/2015/sqlite-amalgamation-3081101.zip |
2:安装
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
$ yum install unzip gcc gcc-c++ cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain cyrus-sasl-devel -y $ tar zxf apr-1.5.1.tar.gz $ cd apr-1.5.1 $ ./configure $ make && make install $ tar zxf apr-util-1.5.4.tar.gz $ cd apr-util-1.5.4 $ ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr $ make && make install $ tar zxf zlib-1.2.11.tar.gz $ cd zlib-1.2.11 $ ./configure $ make && make install $ unzip sqlite-amalgamation-3081101.zip $ tar zxf subversion-1.10.2.tar.gz $ mv sqlite-amalgamation-3081101 ./subversion-1.10.2/sqlite-amalgamation $ cd subversion-1.10.2 $ ./configure --prefix=/opt/subversion-1.10.2 --without-berkeley-db --with-apr=../apr-1.5.1 --with-apr-util=../apr-util-1.5.4 --with-sasl --with-lz4=internal --with-utf8proc=internal $ make && make install $ ln -s /opt/subversion-1.10.2/ /usr/local/svn $ echo "export PATH=$PATH:/usr/local/svn/bin" >>/etc/profile $ source /etc/profile |
二、配置SVN
|
0 1 2 3 4 5 6 7 8 9 10 11 12 |
$ svnserve --version | grep SASL | wc -l $ mkdir /work/svndata/ -p $ svnadmin create /work/svndata/sadoc $ cd /work/svndata/sadoc/conf/ $ cp svnserve.conf svnserve.conf.$(date +%F) $ sed -i 's#\# anon-access = read#anon-access = none#g' svnserve.conf $ sed -i 's#\# auth-access = write#auth-access = write#g' svnserve.conf $ sed -i 's/# authz-db = authz/authz-db = authz/g' svnserve.conf $ sed -i 's/# use-sasl = true/use-sasl = true/g' svnserve.conf $ cat >> /work/svndata/sadoc/conf/authz <<BYRD [sadoc:/] byrd = rw BYRD |
三、配置saslauthd
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
$ cp /etc/sysconfig/saslauthd /etc/sysconfig/saslauthd.$(date +%F) $ sed -i 's/MECH=pam/MECH=ldap/' /etc/sysconfig/saslauthd $ grep "MECH" /etc/sysconfig/saslauthd $ cat >> /etc/saslauthd.conf <<BYRD ldap_servers:ldap://ldap.t4x.org ldap_bind_dn: cn=admin,dc=ldap,dc=t4x,dc=org ldap_bind_pw: admin ldap_search_base: ou=People,dc=ldap,dc=t4x,dc=org ldap_filter: uid=%U ldap_password_attr: userPassword BYRD $ cat >> /etc/sasl2/svn.conf <<BYRD pwcheck_method: saslauthd mech_list: PLAIN LOGIN BYRD $ systemctl restart saslauthd $ echo "10.4.0.10 ldap.t4x.org" >> /etc/hosts $ testsaslauthd -ubyrd -padmin 0: OK "Success." $ testsaslauthd -uusermarkting01 -padmin 0: OK "Success." |
四、数据测试
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
$ svnserve -d -r /work/svndata/ $ netstat -tunlp | grep 3690 tcp 0 0 0.0.0.0:3690 0.0.0.0:* LISTEN 72617/svnserve $ svn checkout svn://10.4.0.13/sadoc /tmp/test/ --username=byrd --password=admin ----------------------------------------------------------------------- ATTENTION! Your password for authentication realm: <svn://10.4.0.13:3690> fe8f0e06-a064-11e8-a9e2-71b151ac16bb can only be stored to disk unencrypted! You are advised to configure your system so that Subversion can store passwords encrypted, if possible. See the documentation for details. You can avoid future appearances of this warning by setting the value of the 'store-plaintext-passwords' option to either 'yes' or 'no' in '/root/.subversion/servers'. ----------------------------------------------------------------------- Store password unencrypted (yes/no)? no A /tmp/test/1.txt Checked out revision 1. $ svn checkout svn://10.4.0.13/sadoc /tmp/123/ --username=usermarkting01 --password=admin svn: Authorization failed $ echo "usermarkting01 = rw" >>/work/svndata/sadoc/conf/authz $ svn checkout svn://10.4.0.13/sadoc /tmp/123/ --username=usermarkting01 --password=admin A /tmp/123/1.txt Checked out revision 1. |
五、编译修复
|
0 1 |
Q:SASL requested but not compiled in; set 'use-sasl' to 'false' or recompile A:--with-sasl |
参考文档:
1:https://segmentfault.com/a/1190000006010725
2:http://blog.51cto.com/zengestudy/1911179
3:https://www.cnblogs.com/xyp-blog123/p/7692682.htmlSourceByrd's Weblog-https://note.t4x.org/service/subversion-saslauthd-auth/
SourceByrd's Weblog-https://note.t4x.org/service/subversion-saslauthd-auth/
申明:除非注明Byrd's Blog内容均为原创,未经许可禁止转载!详情请阅读版权申明!
