| Log Message: |
Stop assuming that built-in TLS support is the only way to secure the
PLAIN and LOGIN mechanisms of SASL. Until svnserve gains TLS support,
people can secure plaintext data by other means, such as VPNs, stunnel, etc.
This should allow people to deploy LDAP authentication with svnserve
in combination with saslauthd, as advertised by The Book. But it's the
user's responsibility to make sure plaintext passwords aren't leaked
to the network. The Book might need an update to reflect this, too.
See also the following post to users@:
Date: Mon, 15 Jun 2009 17:36:06 +0200
From: Johan Corveleyn <johan.corveleyn@uz.kuleuven.ac.be>
To: "'info@pablorizzo.com'" <info@pablorizzo.com>,
users@subversion.tigris.org
Message-ID: \
<418BAA076B16DE418457B37BEA508613507F6171ED@EX2007-MBX-1.uz.kuleuven.ac.be>
Subject: RE: How to authenticate Subversion with SASL2 + LDAP
http://svn.haxx.se/users/archive-2009-06/0536.shtml
* subversion/libsvn_ra_svn/cyrus_auth.c,
subversion/svnserve/cyrus_auth.c
(new_sasl_ctx, cyrus_auth_request): Don't set SASL_SEC_NOPLAINTEXT.
* notes/sasl.txt: Update to reflect change in behaviour.
|
subversion/trunk/notes/sasl.txt