>According to the documentation, if you set NTMLauthoritative to off, >then if NTLM authorization fails, then it should pass it on to the lower >level modules.
Yes, that's true and it works like you describe it. The point that you are missing is (and that I have tried to show in my last mail), that during NTLM authentication there is no password! NTLM never passes the password to the server, so also the control gets passed to the lower level module, this lower level module must be able to handle NTLM. The default Apache auth handler isn't able to do so. It expects a password, which it doesn't gets because the client never has send it. Hope it's a little bit more clear now Gerald ------------------------------------------------------------- Gerald Richter ecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 WWW: http://www.ecos.de Fax: +49 6133 925152 ------------------------------------------------------------- I have cut out the below section from the doco which relates to the above functionality : " =head2 PerlSetVar ntlmauthoritative Setting the ntlmauthoritative directive explicitly to 'off' allows authentication to be passed on to lower level modules if AuthenNTLM cannot autheticate the userand the NTLM authentication scheme is used. If set to 'on', which is the default, AuthenNTLM will try to verify the user andif it fails will give an Authorization Required reply. =head2 PerlSetVar basicauthoritative Setting the ntlmauthoritative directive explicitly to 'off' allows authentication to be passed on to lower level modules if AuthenNTLM cannot autheticate the userand the Basic authentication scheme is used. If set to 'on', which is the default, AuthenNTLM will try to verify the user andif it fails will give an Authorization Required reply. " >From the above description, I am hoping for the following events to take place - ntlm authentication (if fail this level go to next authentication) - basic authentication (if fails this level go to other authentication systems) - read passwords in htpasswd file ( if this fails, then access not granted) To enable the following behaviour, I have included the following directives in httpd.conf. - ntlmauthoritative off - basicauthoritative off I have also taken out the basic authentication to see if this works ie Authtype ntlm (not basic) But this still does fail & allow the htpasswd system to verify access. If there are changes that need to be made to the AuthenNTLM.pm, I am not very well read in this area - are there any goof references. >From my novice perspective, it appears that when NTLM is included as part of the authentication, the ability for normal modules to verify access (ie htpasswd file) is no longer available ie the perl module does not pass back what the standard modules are expecting. I am sorry to be a bit unclear in my analysis, but I am fairly new to apache & perl modules. Many Thanks Adam original email attached -----Original Message----- From: Gerald Richter [mailto:[EMAIL PROTECTED]] Sent: Monday, 12 August 2002 5:35 PM To: Kaye-Smith Adam; [EMAIL PROTECTED] Subject: Re: NTLM module ----- Original Message ----- From: "Kaye-Smith Adam" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 12, 2002 4:51 AM Subject: NTLM module Hello , >When I enter in an NT password it all works ok but when I use a >user/pass from the htpasswd file, the only way it will work is that I >change the above line to > >AuthType Basic instead of >AuthType ntlm,Basic. > > >With this change I can access passwords in htpasswd & also authenticate >from an NT server but I can no longer use NTLM. The problem is that Basic authentication requires a password from the client which can be compared against your password file. In case of NTLM auth, there is no password ever send over the wire, so Apache doesn't have anything which it can compare against it's passwd file. The solution would be to derive a class from AuthenNTLM and do the computation of the challage and response based on the secrets in the passwd file (you would need to store MD4 hashs of your passwords somewhere). There is a module called Perl::AuthenNTLM which may be helpfull in doing this task. Gerald ------------------------------------------------------------- Gerald Richter ecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 WWW: http://www.ecos.de Fax: +49 6133 925152 ------------------------------------------------------------- ************************************************************************ The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. ************************************************************************ ------------------------------------------------------------- Gerald Richter ecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 WWW: http://www.ecos.de Fax: +49 6133 925152 -------------------------------------------------------------
