You may check Apache::Access module at http://modperl.home.att.net in which I tried to provide a general solution to several popular authentication issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc.
Cheers. Peter Bi ----- Original Message ----- From: "Gerald Richter" <[EMAIL PROTECTED]> To: "Kaye-Smith Adam" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, August 12, 2002 9:12 PM Subject: Re: NTLM module > > >According to the documentation, if you set NTMLauthoritative to off, > >then if NTLM authorization fails, then it should pass it on to the lower > >level modules. > > Yes, that's true and it works like you describe it. The point that you are > missing is (and that I have tried to show in my last mail), that during NTLM > authentication there is no password! NTLM never passes the password to the > server, so also the control gets passed to the lower level module, this > lower level module must be able to handle NTLM. The default Apache auth > handler isn't able to do so. It expects a password, which it doesn't gets > because the client never has send it. > > Hope it's a little bit more clear now > > Gerald > > ------------------------------------------------------------- > Gerald Richter ecos electronic communication services gmbh > Internetconnect * Webserver/-design/-datenbanken * Consulting > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > WWW: http://www.ecos.de Fax: +49 6133 925152 > ------------------------------------------------------------- > > > > I have cut out the below section from the doco which > relates to the above functionality : > " > =head2 PerlSetVar ntlmauthoritative > > Setting the ntlmauthoritative directive explicitly to 'off' allows > authentication > to be passed on to lower level modules if AuthenNTLM cannot autheticate > the userand the NTLM authentication scheme is used. > If set to 'on', which is the default, AuthenNTLM will try to verify the > user andif it fails will give an Authorization Required reply. > > =head2 PerlSetVar basicauthoritative > > Setting the ntlmauthoritative directive explicitly to 'off' allows > authentication > to be passed on to lower level modules if AuthenNTLM cannot autheticate > the userand the Basic authentication scheme is used. > If set to 'on', which is the default, AuthenNTLM will try to verify the > user andif it fails will give an Authorization Required reply. > " > > > > From the above description, I am hoping for the following events to take > place > > > - ntlm authentication (if fail this level go to next authentication) > > - basic authentication (if fails this level go to other > authentication systems) > > - read passwords in htpasswd file ( if this fails, then access not > granted) > > > > > To enable the following behaviour, I have included the following > directives in httpd.conf. > > - ntlmauthoritative off > - basicauthoritative off > > > I have also taken out the basic authentication to see if this works ie > > Authtype ntlm (not basic) > > But this still does fail & allow the htpasswd system to verify access. > > > > If there are changes that need to be made to the AuthenNTLM.pm, I am > not very well read in this area - are there any goof references. > > From my novice perspective, it appears that when NTLM is included as > part of the authentication, the ability for normal modules to verify > access (ie htpasswd file) is no longer available ie the perl module does > not pass back what the standard modules are expecting. > > I am sorry to be a bit unclear in my analysis, but I am fairly new to > apache & perl modules. > > > Many Thanks > > > Adam > > > original email attached > > > > > > > > > > -----Original Message----- > From: Gerald Richter [mailto:[EMAIL PROTECTED]] > Sent: Monday, 12 August 2002 5:35 PM > To: Kaye-Smith Adam; [EMAIL PROTECTED] > Subject: Re: NTLM module > > > > ----- Original Message ----- > From: "Kaye-Smith Adam" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, August 12, 2002 4:51 AM > Subject: NTLM module > > > Hello , > > > >When I enter in an NT password it all works ok but when I use a > >user/pass from the htpasswd file, the only way it will work is that I > >change the above line to > > > >AuthType Basic instead of > >AuthType ntlm,Basic. > > > > > >With this change I can access passwords in htpasswd & also authenticate > >from an NT server but I can no longer use NTLM. > > The problem is that Basic authentication requires a password from the > client > which can be compared against your password file. In case of NTLM auth, > there is no password ever send over the wire, so Apache doesn't have > anything which it can compare against it's passwd file. > > The solution would be to derive a class from AuthenNTLM and do the > computation of the challage and response based on the secrets in the > passwd > file (you would need to store MD4 hashs of your passwords somewhere). > There > is a module called Perl::AuthenNTLM which may be helpfull in doing this > task. > > Gerald > > > ------------------------------------------------------------- > Gerald Richter ecos electronic communication services gmbh > Internetconnect * Webserver/-design/-datenbanken * Consulting > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > WWW: http://www.ecos.de Fax: +49 6133 925152 > ------------------------------------------------------------- > > > > > > > ************************************************************************ > The information in this e-mail together with any attachments is > intended only for the person or entity to which it is addressed > and may contain confidential and/or privileged material. > > Any form of review, disclosure, modification, distribution > and/or publication of this e-mail message is prohibited. > > If you have received this message in error, you are asked to > inform the sender as quickly as possible and delete this message > and any copies of this message from your computer and/or your > computer system network. > ************************************************************************ > > > > ------------------------------------------------------------- > Gerald Richter ecos electronic communication services gmbh > Internetconnect * Webserver/-design/-datenbanken * Consulting > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > WWW: http://www.ecos.de Fax: +49 6133 925152 > ------------------------------------------------------------- > > > >
