You may check Apache::Access module at http://modperl.home.att.net in which
I tried to provide a general solution to several popular authentication
issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc.

Cheers.


Peter Bi

----- Original Message -----
From: "Gerald Richter" <[EMAIL PROTECTED]>
To: "Kaye-Smith Adam" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, August 12, 2002 9:12 PM
Subject: Re: NTLM module


>
> >According to the documentation, if you set NTMLauthoritative to off,
> >then if NTLM authorization fails, then it should pass it on to the lower
> >level modules.
>
> Yes, that's true and it works like you describe it. The point that you are
> missing is (and that I have tried to show in my last mail), that during
NTLM
> authentication there is no password! NTLM never passes the password to the
> server, so also the control gets passed to the lower level module, this
> lower level module must be able to handle NTLM. The default Apache auth
> handler isn't able to do so. It expects a password, which it doesn't gets
> because the client never has send it.
>
> Hope it's a little bit more clear now
>
> Gerald
>
> -------------------------------------------------------------
> Gerald Richter    ecos electronic communication services gmbh
> Internetconnect * Webserver/-design/-datenbanken * Consulting
>
> Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
> E-Mail:     [EMAIL PROTECTED]         Voice:    +49 6133 925131
> WWW:        http://www.ecos.de      Fax:      +49 6133 925152
> -------------------------------------------------------------
>
>
>
>  I have cut out the below section from the doco which
> relates to the above functionality :
> "
> =head2 PerlSetVar ntlmauthoritative
>
> Setting the ntlmauthoritative directive explicitly to 'off' allows
> authentication
> to be passed on to lower level modules if AuthenNTLM cannot autheticate
> the userand the NTLM authentication scheme is used.
> If set to 'on', which is the default, AuthenNTLM will try to verify the
> user andif it fails will give an Authorization Required reply.
>
> =head2 PerlSetVar basicauthoritative
>
> Setting the ntlmauthoritative directive explicitly to 'off' allows
> authentication
> to be passed on to lower level modules if AuthenNTLM cannot autheticate
> the userand the Basic authentication scheme is used.
> If set to 'on', which is the default, AuthenNTLM will try to verify the
> user andif it fails will give an Authorization Required reply.
> "
>
>
>
> From the above description, I am hoping for the following events to take
> place
>
>
> -   ntlm authentication   (if fail this level go to next authentication)
>
> -   basic authentication  (if fails this level go to other
> authentication systems)
>
> -   read passwords in htpasswd file  ( if this fails, then access not
> granted)
>
>
>
>
> To enable the following behaviour, I have included the following
> directives in httpd.conf.
>
> -  ntlmauthoritative off
> -  basicauthoritative off
>
>
> I have also taken out the basic authentication to see if this works ie
>
> Authtype ntlm   (not basic)
>
> But this still does fail & allow the htpasswd system to verify access.
>
>
>
> If there are changes that need to be made to  the AuthenNTLM.pm, I am
> not very well read in this area - are there any goof references.
>
> From my novice perspective, it appears that when NTLM is included as
> part of the authentication, the ability for normal modules to verify
> access (ie htpasswd file) is no longer available ie the perl module does
> not pass back what the standard modules are expecting.
>
> I am sorry to be a bit unclear in my analysis, but I am fairly new to
> apache & perl modules.
>
>
> Many Thanks
>
>
> Adam
>
>
> original email attached
>
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Gerald Richter [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 12 August 2002 5:35 PM
> To: Kaye-Smith Adam; [EMAIL PROTECTED]
> Subject: Re: NTLM module
>
>
>
> ----- Original Message -----
> From: "Kaye-Smith Adam" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, August 12, 2002 4:51 AM
> Subject: NTLM module
>
>
> Hello ,
>
>
> >When I enter in an NT password it all works ok but when I use a
> >user/pass from the htpasswd file, the only way it will work is that I
> >change the above line to
> >
> >AuthType Basic                     instead of
> >AuthType ntlm,Basic.
> >
> >
> >With this change I can access passwords in htpasswd & also authenticate
> >from an NT server but I can no longer use NTLM.
>
> The problem is that Basic authentication requires a password from the
> client
> which can be compared against your password file. In case of NTLM auth,
> there is no password ever send over the wire, so Apache doesn't have
> anything which it can compare against it's passwd file.
>
> The solution would be to derive a class from AuthenNTLM and do the
> computation of the challage and response based on the secrets in the
> passwd
> file (you would need to store MD4 hashs of your passwords somewhere).
> There
> is a module called Perl::AuthenNTLM which may be helpfull in doing this
> task.
>
> Gerald
>
>
> -------------------------------------------------------------
> Gerald Richter    ecos electronic communication services gmbh
> Internetconnect * Webserver/-design/-datenbanken * Consulting
>
> Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
> E-Mail:     [EMAIL PROTECTED]         Voice:    +49 6133 925131
> WWW:        http://www.ecos.de      Fax:      +49 6133 925152
> -------------------------------------------------------------
>
>
>
>
>
>
> ************************************************************************
> The information in this e-mail together with any attachments is
> intended only for the person or entity to which it is addressed
> and may contain confidential and/or privileged material.
>
> Any form of review, disclosure, modification, distribution
> and/or publication of this e-mail message is prohibited.
>
> If you have received this message in error, you are asked to
> inform the sender as quickly as possible and delete this message
> and any copies of this message from your computer and/or your
> computer system network.
> ************************************************************************
>
>
>
> -------------------------------------------------------------
> Gerald Richter    ecos electronic communication services gmbh
> Internetconnect * Webserver/-design/-datenbanken * Consulting
>
> Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
> E-Mail:     [EMAIL PROTECTED]         Voice:    +49 6133 925131
> WWW:        http://www.ecos.de      Fax:      +49 6133 925152
> -------------------------------------------------------------
>
>
>
>

Reply via email to