Mark,

If you configure your unix/linux server to perform 'normal' ssh
authentication with LDAP then a cvs client using ssh will also use LDAP
and the SSH protocol is fairly secure. Refer to your operating system
documentation or vendor technical support for instructions on how to
configure ssh to perform LDAP authentication.

Once you have that working, if you are using a CVSNT client on Windows
(like WinCVS or TortoiseCVS) then you can use the CVSROOT connection
string :ssh:server:/repo, otherwise (non CVSNT clients, or CVSNT on
non-Windows) you use :ext:server:/repo

Alternatively if you rely heavily on 'pserver' type 'alias' users and
want to keep them then CVSNT Server is free/GPL and runs on linux/unix
and supports PAM for all protocols including SSERVER (which is a
'secure' pserver).

Regards,


Arthur Barrett


-----Original Message-----
From: info-cvs-bounces+arthur.barrett=march-***@nongnu.org
[mailto:info-cvs-bounces+arthur.barrett=march-***@nongnu.org] On
Behalf Of Risman, Mark
Sent: Tuesday, 12 May 2009 1:41 AM
To: info-***@nongnu.org
Subject: RE: CVS authentication using LDAP.



Hi,

Similar to this request, does anyone have any wisdom on
a good way to set up CVS authentication via LDAP, but in a manner which
allows the password to be secured as it travels across the network?

Currently we already have LDAP up and running, and we
use CVS version 1.11.17. I could upgrade this to a 1.12 version with PAM
support, but I'm not inclined to bother doing that until I have a
solution to the authentication issue.

In my research I came across one possibility which uses
"stunnel", which is SSL tunneling software I'm not familiar with, but
I'm wondering if anyone has had experience using this or any similar
method for CVS user authentication.

I understand this is all probably a familiar question to
everyone, but if someone could point me toward some basic information
that would help me to implement this, I would appreciate it.

Thank you,
- Mark


From: cvs admin
Subject: CVS authentication using LDAP.
Date: Wed, 29 Mar 2006 12:17:23 +0530

_____


Hi ,

In the present scenario, we have usernames/passwords stored for
each repository on the CVS system itself. We would like to use the LDAP
server for CVS authentication which stores all the Network login IDs and
passwords. This way we wouldn't have to store passwords on the server
and users will have to remember only their network/windows login
password.

For this, we might have to install some system level packages
related to PAM (which supports LDAP authentication).

So anybody have any links or docs to configure the LDAP on Red
Hat Enterprise Linux AS release 4 (Nahant Update 2)


Thanks for help in advance.

cheers
Om






**********************************************************

MLB.com: Where Baseball is Always On

________________________________

From: Arthur Barrett [mailto:***@march-hare.com]
Sent: Monday, May 11, 2009 3:29 PM
To: Risman, Mark; info-***@nongnu.org
Subject: RE: CVS authentication using LDAP.


Mark,

If you configure your unix/linux server to perform 'normal' ssh
authentication with LDAP then a cvs client using ssh will also use LDAP
and the SSH protocol is fairly secure. Refer to your operating system
documentation or vendor technical support for instructions on how to
configure ssh to perform LDAP authentication.

Once you have that working, if you are using a CVSNT client on Windows
(like WinCVS or TortoiseCVS) then you can use the CVSROOT connection
string :ssh:server:/repo, otherwise (non CVSNT clients, or CVSNT on
non-Windows) you use :ext:server:/repo

Alternatively if you rely heavily on 'pserver' type 'alias' users and
want to keep them then CVSNT Server is free/GPL and runs on linux/unix
and supports PAM for all protocols including SSERVER (which is a
'secure' pserver).

Regards,


Arthur Barrett


-----Original Message-----
From: info-cvs-bounces+arthur.barrett=march-***@nongnu.org
[mailto:info-cvs-bounces+arthur.barrett=march-***@nongnu.org] On
Behalf Of Risman, Mark
Sent: Tuesday, 12 May 2009 1:41 AM
To: info-***@nongnu.org
Subject: RE: CVS authentication using LDAP.



Hi,

Similar to this request, does anyone have any wisdom on
a good way to set up CVS authentication via LDAP, but in a manner which
allows the password to be secured as it travels across the network?

Currently we already have LDAP up and running, and we
use CVS version 1.11.17. I could upgrade this to a 1.12 version with PAM
support, but I'm not inclined to bother doing that until I have a
solution to the authentication issue.

In my research I came across one possibility which uses
"stunnel", which is SSL tunneling software I'm not familiar with, but
I'm wondering if anyone has had experience using this or any similar
method for CVS user authentication.

I understand this is all probably a familiar question to
everyone, but if someone could point me toward some basic information
that would help me to implement this, I would appreciate it.

Thank you,
- Mark


From: cvs admin
Subject: CVS authentication using LDAP.
Date: Wed, 29 Mar 2006 12:17:23 +0530

_____


Hi ,

In the present scenario, we have usernames/passwords stored for
each repository on the CVS system itself. We would like to use the LDAP
server for CVS authentication which stores all the Network login IDs and
passwords. This way we wouldn't have to store passwords on the server
and users will have to remember only their network/windows login
password.

For this, we might have to install some system level packages
related to PAM (which supports LDAP authentication).

So anybody have any links or docs to configure the LDAP on Red
Hat Enterprise Linux AS release 4 (Nahant Update 2)


Thanks for help in advance.

cheers
Om





**********************************************************

MLB.com: Where Baseball is Always On






**********************************************************

MLB.com: Where Baseball is Always On

------_=_NextPart_001_01C9D338.5E950893
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.5764" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=659181519-12052009>Arthur,</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=659181519-12052009></SPAN></FONT>&nbsp;</DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=659181519-12052009>Apologies for the key details I left out in my original
message, but it seems like you've already figured out one of them -- we have
many users currently using :pserver: and we don't want to create accounts on the
server machine for them, if we can at all avoid it. This is where I think the
CVSNT application could come in handy. Thanks very much for this
tip!</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=659181519-12052009></SPAN></FONT>&nbsp;</DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=659181519-12052009>The other key detail, though, is the fact that we're a
Solaris shop. Many of our repository users are Windows-based, and are using a
version WinCVS which already supports the CVSNT-extended authentication methods,
but our repository and some of our users are running under Solaris. Does anyone
know of any risks to using CVSNT under Solaris?

Mark,

The best place for CVSNT specific questions is the CVSNT newsgroup:
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
or
news://news.cvsnt.org/support.cvsnt

There are free/GPL builds of CVSNT for Solaris Sparc on the web site
(they are standard Solaris install packages so there is no need to build
from source). Note: use the x32 bit builds and only switch to x64 bit if
after several months you find you need the additional memory - the x32
bit builds are much easier to install and configure.

If you are mostly using CVSNT clients (WinCVS is a GUI only and 'calls'
the installed CVSNT client to actually do the 'work') then there are
advantages to using CVSNT Server including the extended protocols and
merge tracking/merge points - plus the server supports access control
lists on modules and branches, failsafe auditing, etc etc.

Regards,


Arthur Barrett



-----Original Message-----
From: Risman, Mark [mailto:***@mlb.com]
Sent: Wednesday, 13 May 2009 5:32 AM
To: Arthur Barrett; info-***@nongnu.org
Subject: RE: CVS authentication using LDAP.


Arthur,

Apologies for the key details I left out in my original message,
but it seems like you've already figured out one of them -- we have many
users currently using :pserver: and we don't want to create accounts on
the server machine for them, if we can at all avoid it. This is where I
think the CVSNT application could come in handy. Thanks very much for
this tip!

The other key detail, though, is the fact that we're a Solaris
shop. Many of our repository users are Windows-based, and are using a
version WinCVS which already supports the CVSNT-extended authentication
methods, but our repository and some of our users are running under