I have borrowed the contents of this post with permission from the author of this link:

http://e-d20.com/?p=27

The reason I am posting it here is because this type of questions are frequently asked, so here goes:

Below you will find instructions on how to authenticate subversion users against a Microsoft Active Directory using svnserve sasl, ldap. I am writing this documentation for future reference by myself, and because I cannot find a good compilation of documents that adequately explain how to configure this properly.

Please note, this document is being written after two days of frustrating configuration. I apologise if everything is not absolutely accurate, but will assist as best as I can if you need help.

- Pre Setup –

Server with Ubuntu Server Edition 9.10 loaded.

- Install packages, subversion, db4.7-util, sasl2-bin, ldap-utils


sudo apt-get install subversion db4.7-util sasl2-bin ldap-utils


Configure /path/to/repository/conf/svnserve.conf in your repository path to use sasl.

## svnserve.conf
[general]

## Drop access for anonymous users
anon-access = none

## Access for authorized users to write
auth-access = write

[sasl]
use-sasl = true

With the option use-sasl set to true, you’re telling the svnserve daemon to use SASL as it’s authentication method. Now you have to tell SASL to authenticate using the SASL Authentication daemon, when subversion requests an authentication.

Reference, http://svnbook.red-bean.com/en/1.5/svn.serverconfig.svnserve.html

The way to achieve this, is to create a svn.conf or subversion.conf (not sure which, I made svn.conf and link to subversion.conf) file in a location that SASL can find. In Ubuntu Server 9.10, this location is, /usr/lib/sasl2/.

Create the file, /usr/lib/sasl2/svn.conf and configure it with the following options.


#/usr/lib/sasl2/svn.conf -- might be /usr/lib/sasl2/subversion.conf not sure, make both

## Password check method, default to the SASL AUTH daemon
pwcheck_method: saslauthd

## Auxiliary (propery) plugin, use ldap
auxprop_plugin: ldap

## Mechanism list, MS AD requires you to send credentials in plain text
mech_list: PLAIN LOGIN

## Not sure if this is required… but I kept it in
ldapdb_mech: PLAIN LOGIN

Now you need to configure the SASL Auth Daemon to use LDAP. The file is located at /etc/default/saslauthd .

Only need to modify one variable here, and that is MECHANISMS.


# /etc/default/saslauthd

MECHANISMS=”ldap”

Finally configure SASL to connect to your Active Directory. You’ll need to create the file, /etc/saslauthd.conf

Reference, http://www.opensource.apple.com/source/passwordserver_sasl/passwordserver_sasl-159/cyrus_sasl/saslauthd/LDAP_SASLAUTHD


#/etc/saslauthd.conf

## URL for the Active Directory
ldap_servers: ldap://ad.example.com

## Not sure why exactly, but yes doesnt work… so no.
ldap_use_sasl: no

## Bind DN (Distinguishing Name) of the user you want to bind to the AD
ldap_bind_dn: CN=Bind User,OU=AdminGroup,DC=ad,DC=example,DC=com

## Password to the above user
ldap_password: password

## Sends passwords as plain text to AD to authenticate
ldap_mech: PLAIN

## Auth Method = Bind as specified user, and search for users in the AD
ldap_auth_method: bind

## Filter for users. (user@example.com) sAMAccountName = user
ldap_filter: sAMAccountName=%U

## Specify search base
ldap_search_base: OU=Users,DC=ad,DC=example,DC=com

You can test this setup by running the saslauthd in debug mode,

saslauthd -a ldap -d

Authorization messages are stored in,

/var/log/auth.log

If you are having problems connecting to your AD, I suggest trying to use ldapsearch to connect first, then adjusting your saslauthd.conf file.

ldapsearch -x -H ldap://ad.example.com/ \
-D cn=Bind\User,OU=AdminGroup,DC=ad,DC=example,DC=com \
-w password \
-b ” \
“(sAMAccountName=userToTest)”

Good luck.