Gerald: if you check the source of the Smb implemenation of the module, you would see that it performs basically the same function as NTLM. I agree with you that it does not fit the Microsoft definition of NTLM, so it is not a NTLM implementation. If ones purpose is to pass the protection by providing a valid username/password pair in a NT domain, then one does not have to follow that definition and the current Smb implementation is one of the possible solutions.
Peter ----- Original Message ----- From: "Gerald Richter" <[EMAIL PROTECTED]> To: "Peter Bi" <[EMAIL PROTECTED]>; "Kaye-Smith Adam" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, August 13, 2002 12:53 AM Subject: Re: NTLM module > > > > You may check Apache::Access module at http://modperl.home.att.net in > which > > I tried to provide a general solution to several popular authentication > > issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. > > > > I think you missed the point (or I missunderstood your module): The problem > is not doing the authentication against whatever, but doing NTLM > authetication. With NTLM auth you don't get a password from the client, so > how would compare the password that you don't have against "SMB, LDAP, IMAP, > NIS, FTP, LWP and DBI etc." ? > > The only solution is to reimplement the challage/response that NTLM does. > (The module Authen::Perl::NTLM maybe helpfull here). To do this you need > either the password in clear text to compute the nt password hash (a sort of > md4 hash) or the precomputed nt password hash. You won't have this with > LDAP, IMAP, NIS, FTP, LWP and DBI etc.... > > Gerald > > ------------------------------------------------------------- > Gerald Richter ecos electronic communication services gmbh > Internetconnect * Webserver/-design/-datenbanken * Consulting > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > WWW: http://www.ecos.de Fax: +49 6133 925152 > ------------------------------------------------------------- > > > > Cheers. > > > > > > Peter Bi > > > > ----- Original Message ----- > > From: "Gerald Richter" <[EMAIL PROTECTED]> > > To: "Kaye-Smith Adam" <[EMAIL PROTECTED]> > > Cc: <[EMAIL PROTECTED]> > > Sent: Monday, August 12, 2002 9:12 PM > > Subject: Re: NTLM module > > > > > > > > > > >According to the documentation, if you set NTMLauthoritative to off, > > > >then if NTLM authorization fails, then it should pass it on to the > lower > > > >level modules. > > > > > > Yes, that's true and it works like you describe it. The point that you > are > > > missing is (and that I have tried to show in my last mail), that during > > NTLM > > > authentication there is no password! NTLM never passes the password to > the > > > server, so also the control gets passed to the lower level module, this > > > lower level module must be able to handle NTLM. The default Apache auth > > > handler isn't able to do so. It expects a password, which it doesn't > gets > > > because the client never has send it. > > > > > > Hope it's a little bit more clear now > > > > > > Gerald > > > > > > ------------------------------------------------------------- > > > Gerald Richter ecos electronic communication services gmbh > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > ------------------------------------------------------------- > > > > > > > > > > > > I have cut out the below section from the doco which > > > relates to the above functionality : > > > " > > > =head2 PerlSetVar ntlmauthoritative > > > > > > Setting the ntlmauthoritative directive explicitly to 'off' allows > > > authentication > > > to be passed on to lower level modules if AuthenNTLM cannot autheticate > > > the userand the NTLM authentication scheme is used. > > > If set to 'on', which is the default, AuthenNTLM will try to verify the > > > user andif it fails will give an Authorization Required reply. > > > > > > =head2 PerlSetVar basicauthoritative > > > > > > Setting the ntlmauthoritative directive explicitly to 'off' allows > > > authentication > > > to be passed on to lower level modules if AuthenNTLM cannot autheticate > > > the userand the Basic authentication scheme is used. > > > If set to 'on', which is the default, AuthenNTLM will try to verify the > > > user andif it fails will give an Authorization Required reply. > > > " > > > > > > > > > > > > From the above description, I am hoping for the following events to take > > > place > > > > > > > > > - ntlm authentication (if fail this level go to next authentication) > > > > > > - basic authentication (if fails this level go to other > > > authentication systems) > > > > > > - read passwords in htpasswd file ( if this fails, then access not > > > granted) > > > > > > > > > > > > > > > To enable the following behaviour, I have included the following > > > directives in httpd.conf. > > > > > > - ntlmauthoritative off > > > - basicauthoritative off > > > > > > > > > I have also taken out the basic authentication to see if this works ie > > > > > > Authtype ntlm (not basic) > > > > > > But this still does fail & allow the htpasswd system to verify access. > > > > > > > > > > > > If there are changes that need to be made to the AuthenNTLM.pm, I am > > > not very well read in this area - are there any goof references. > > > > > > From my novice perspective, it appears that when NTLM is included as > > > part of the authentication, the ability for normal modules to verify > > > access (ie htpasswd file) is no longer available ie the perl module does > > > not pass back what the standard modules are expecting. > > > > > > I am sorry to be a bit unclear in my analysis, but I am fairly new to > > > apache & perl modules. > > > > > > > > > Many Thanks > > > > > > > > > Adam > > > > > > > > > original email attached > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > From: Gerald Richter [mailto:[EMAIL PROTECTED]] > > > Sent: Monday, 12 August 2002 5:35 PM > > > To: Kaye-Smith Adam; [EMAIL PROTECTED] > > > Subject: Re: NTLM module > > > > > > > > > > > > ----- Original Message ----- > > > From: "Kaye-Smith Adam" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Monday, August 12, 2002 4:51 AM > > > Subject: NTLM module > > > > > > > > > Hello , > > > > > > > > > >When I enter in an NT password it all works ok but when I use a > > > >user/pass from the htpasswd file, the only way it will work is that I > > > >change the above line to > > > > > > > >AuthType Basic instead of > > > >AuthType ntlm,Basic. > > > > > > > > > > > >With this change I can access passwords in htpasswd & also authenticate > > > >from an NT server but I can no longer use NTLM. > > > > > > The problem is that Basic authentication requires a password from the > > > client > > > which can be compared against your password file. In case of NTLM auth, > > > there is no password ever send over the wire, so Apache doesn't have > > > anything which it can compare against it's passwd file. > > > > > > The solution would be to derive a class from AuthenNTLM and do the > > > computation of the challage and response based on the secrets in the > > > passwd > > > file (you would need to store MD4 hashs of your passwords somewhere). > > > There > > > is a module called Perl::AuthenNTLM which may be helpfull in doing this > > > task. > > > > > > Gerald > > > > > > > > > ------------------------------------------------------------- > > > Gerald Richter ecos electronic communication services gmbh > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > ************************************************************************ > > > The information in this e-mail together with any attachments is > > > intended only for the person or entity to which it is addressed > > > and may contain confidential and/or privileged material. > > > > > > Any form of review, disclosure, modification, distribution > > > and/or publication of this e-mail message is prohibited. > > > > > > If you have received this message in error, you are asked to > > > inform the sender as quickly as possible and delete this message > > > and any copies of this message from your computer and/or your > > > computer system network. > > > ************************************************************************ > > > > > > > > > > > > ------------------------------------------------------------- > > > Gerald Richter ecos electronic communication services gmbh > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > >
