I'm working on single-sign-on support for NTLM, where we don't actually
*know* the password, but just delegate the whole challenge/response
thing to a helper program.
That helper program is /usr/bin/ntlm_auth; the only current
implementation is the Samba one which works when you've logged into the
system using your Windows password and pam_winbind, but we're working on
a less baroque version that works {like,with} gnome-keyring, and there's
a simple hack at http://david.woodhou.se/ntlm_auth_v2.c for testing.
So I need a way to indicate that the authentication mechanism should be
tried once *without* a password, and then if that fails we should try
providing a password.
Thus the patch below. Anyone got a better suggestion for how to handle
it? A patch to actually use this facility in the NTLM authenticator will
follow, of course...
One alternative approach might be to to stop letting the authenticators
look at service->url->passwd, and instead have an 'authenticate' signal
on the CamelSasl object, much the same way as libsoup does it.
But then I think we'd still have to have the users know somehow if that
authenticate signal had been called on the first attempt, to know when
to set the CAMEL_SESSION_PASSWORD_REPROMPT flag, etc. I suspect it would
be a lot of extra work for something that doesn't really end up looking
any prettier by the time it's working.
Hence the 'try_empty_password' flag, which is relatively simple.
Comments?
commit b1787a5f85cdc1e46fb6ccf0c57134fc34f4e12e
Author: David Woodhouse <david.woodho...@intel.com>
Date: Fri Apr 1 23:25:05 2011 +0100
Add 'try_empty_password' flag to CamelServiceAuthType
NTLM will be use this, to support single-sign-on using /usr/bin/ntlm_auth
diff --git a/camel/camel-sasl-anonymous.c b/camel/camel-sasl-anonymous.c
index dbbb500..850b1ea 100644
--- a/camel/camel-sasl-anonymous.c
+++ b/camel/camel-sasl-anonymous.c
@@ -37,6 +37,7 @@ CamelServiceAuthType camel_sasl_anonymous_authtype = {
N_("This option will connect to the server using an anonymous login."),
"ANONYMOUS",
+ FALSE,
FALSE
};
diff --git a/camel/camel-sasl-cram-md5.c b/camel/camel-sasl-cram-md5.c
index ae4bb16..54f9daa 100644
--- a/camel/camel-sasl-cram-md5.c
+++ b/camel/camel-sasl-cram-md5.c
@@ -48,6 +48,7 @@ CamelServiceAuthType camel_sasl_cram_md5_authtype = {
"secure CRAM-MD5 password, if the server supports it."),
"CRAM-MD5",
+ FALSE,
TRUE
};
diff --git a/camel/camel-sasl-digest-md5.c b/camel/camel-sasl-digest-md5.c
index ae12f7b..384f216 100644
--- a/camel/camel-sasl-digest-md5.c
+++ b/camel/camel-sasl-digest-md5.c
@@ -61,6 +61,7 @@ CamelServiceAuthType camel_sasl_digest_md5_authtype = {
"secure DIGEST-MD5 password, if the server supports it."),
"DIGEST-MD5",
+ FALSE,
TRUE
};
diff --git a/camel/camel-sasl-gssapi.c b/camel/camel-sasl-gssapi.c
index 61b3404..832c128 100644
--- a/camel/camel-sasl-gssapi.c
+++ b/camel/camel-sasl-gssapi.c
@@ -93,6 +93,7 @@ CamelServiceAuthType camel_sasl_gssapi_authtype = {
"Kerberos 5 authentication."),
"GSSAPI",
+ FALSE,
FALSE
};
diff --git a/camel/camel-sasl-login.c b/camel/camel-sasl-login.c
index de3aba4..465a8f7 100644
--- a/camel/camel-sasl-login.c
+++ b/camel/camel-sasl-login.c
@@ -42,6 +42,7 @@ CamelServiceAuthType camel_sasl_login_authtype = {
"simple password."),
"LOGIN",
+ FALSE,
TRUE
};
diff --git a/camel/camel-sasl-ntlm.c b/camel/camel-sasl-ntlm.c
index 6d2313a..a285214 100644
--- a/camel/camel-sasl-ntlm.c
+++ b/camel/camel-sasl-ntlm.c
@@ -44,6 +44,7 @@ CamelServiceAuthType camel_sasl_ntlm_authtype = {
"NTLM / Secure Password Authentication."),
"NTLM",
+ FALSE,
TRUE
};
diff --git a/camel/camel-sasl-plain.c b/camel/camel-sasl-plain.c
index e27a6b9..5b1845d 100644
--- a/camel/camel-sasl-plain.c
+++ b/camel/camel-sasl-plain.c
@@ -46,6 +46,7 @@ CamelServiceAuthType camel_sasl_plain_authtype = {
"simple password."),
"PLAIN",
+ FALSE,
TRUE
};
diff --git a/camel/camel-sasl-popb4smtp.c b/camel/camel-sasl-popb4smtp.c
index 043291b..00ef7ff 100644
--- a/camel/camel-sasl-popb4smtp.c
+++ b/camel/camel-sasl-popb4smtp.c
@@ -49,6 +49,7 @@ CamelServiceAuthType camel_sasl_popb4smtp_authtype = {
"POPB4SMTP",
FALSE,
+ FALSE,
};
/* last time the pop was accessed (through the auth method anyway), *time_t */
diff --git a/camel/camel-service.h b/camel/camel-service.h
index d1efa89..35cf1a9 100644
--- a/camel/camel-service.h
+++ b/camel/camel-service.h
@@ -137,6 +137,7 @@ typedef struct {
const gchar *description;
const gchar *authproto;
+ gboolean try_empty_password;
gboolean need_password; /* needs a password to authenticate */
} CamelServiceAuthType;
diff --git a/camel/providers/imap/camel-imap-store.c
b/camel/providers/imap/camel-imap-store.c
index d241ee5..83188db 100644
--- a/camel/providers/imap/camel-imap-store.c
+++ b/camel/providers/imap/camel-imap-store.c
@@ -1143,9 +1143,9 @@ imap_auth_loop (CamelService *service, GError **error)
return FALSE;
}
- if (!authtype->need_password) {
+ if (!authtype->need_password || authtype->try_empty_password) {
authenticated = try_auth (store, authtype->authproto,
error);
- if (!authenticated)
+ if (!authtype->try_empty_password && !authenticated)
return FALSE;
}
}
diff --git a/camel/providers/imapx/camel-imapx-server.c
b/camel/providers/imapx/camel-imapx-server.c
index 179252d..78ea5a9 100644
--- a/camel/providers/imapx/camel-imapx-server.c
+++ b/camel/providers/imapx/camel-imapx-server.c
@@ -2968,9 +2968,14 @@ imapx_reconnect (CamelIMAPXServer *is, GError **error)
gboolean authenticated = FALSE;
CamelServiceAuthType *authtype = NULL;
guint32 prompt_flags = CAMEL_SESSION_PASSWORD_SECRET;
+ gboolean need_password = TRUE;
while (!authenticated) {
- if (errbuf) {
+ if (authtype && authtype->try_empty_password && !need_password)
{
+ need_password = TRUE;
+ g_free (errbuf);
+ errbuf = NULL;
+ } else if (errbuf) {
/* We need to un-cache the password before prompting
again */
prompt_flags |= CAMEL_SESSION_PASSWORD_REPROMPT;
g_free (service->url->passwd);
@@ -3004,9 +3009,12 @@ imapx_reconnect (CamelIMAPXServer *is, GError **error)
service->url->authmech);
goto exception;
}
+
+ if (authtype->try_empty_password ||
!authtype->need_password)
+ need_password = FALSE;
}
- if (service->url->passwd == NULL && (!authtype ||
authtype->need_password)) {
+ if (need_password && service->url->passwd == NULL) {
gchar *base_prompt;
gchar *full_prompt;
diff --git a/camel/providers/smtp/camel-smtp-transport.c
b/camel/providers/smtp/camel-smtp-transport.c
index 9f927ee..9d49ae9 100644
--- a/camel/providers/smtp/camel-smtp-transport.c
+++ b/camel/providers/smtp/camel-smtp-transport.c
@@ -465,12 +465,12 @@ smtp_connect (CamelService *service, GError **error)
return FALSE;
}
- if (!authtype->need_password) {
+ if (!authtype->need_password || authtype->try_empty_password) {
/* authentication mechanism doesn't need a password,
so if it fails there's nothing we can do */
authenticated = smtp_auth (
transport, authtype->authproto, error);
- if (!authenticated) {
+ if (!authtype->try_empty_password && !authenticated) {
camel_service_disconnect (service, TRUE, NULL);
return FALSE;
}
--
dwmw2
_______________________________________________
evolution-hackers mailing list
evolution-hackers@gnome.org
To change your list options or unsubscribe, visit ...
http://mail.gnome.org/mailman/listinfo/evolution-hackers
