> You may check Apache::Access module at http://modperl.home.att.net in
which
> I tried to provide a general solution to several popular authentication
> issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc.
>
I think you missed the point (or I missunderstood your module): The problem
is not doing the authentication against whatever, but doing NTLM
authetication. With NTLM auth you don't get a password from the client, so
how would compare the password that you don't have against "SMB, LDAP, IMAP,
NIS, FTP, LWP and DBI etc." ?
The only solution is to reimplement the challage/response that NTLM does.
(The module Authen::Perl::NTLM maybe helpfull here). To do this you need
either the password in clear text to compute the nt password hash (a sort of
md4 hash) or the precomputed nt password hash. You won't have this with
LDAP, IMAP, NIS, FTP, LWP and DBI etc....
Gerald
-------------------------------------------------------------
Gerald Richter ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting
Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131
WWW: http://www.ecos.de Fax: +49 6133 925152
-------------------------------------------------------------
> Cheers.
>
>
> Peter Bi
>
> ----- Original Message -----
> From: "Gerald Richter" <[EMAIL PROTECTED]>
> To: "Kaye-Smith Adam" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Monday, August 12, 2002 9:12 PM
> Subject: Re: NTLM module
>
>
> >
> > >According to the documentation, if you set NTMLauthoritative to off,
> > >then if NTLM authorization fails, then it should pass it on to the
lower
> > >level modules.
> >
> > Yes, that's true and it works like you describe it. The point that you
are
> > missing is (and that I have tried to show in my last mail), that during
> NTLM
> > authentication there is no password! NTLM never passes the password to
the
> > server, so also the control gets passed to the lower level module, this
> > lower level module must be able to handle NTLM. The default Apache auth
> > handler isn't able to do so. It expects a password, which it doesn't
gets
> > because the client never has send it.
> >
> > Hope it's a little bit more clear now
> >
> > Gerald
> >
> > -------------------------------------------------------------
> > Gerald Richter ecos electronic communication services gmbh
> > Internetconnect * Webserver/-design/-datenbanken * Consulting
> >
> > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
> > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131
> > WWW: http://www.ecos.de Fax: +49 6133 925152
> > -------------------------------------------------------------
> >
> >
> >
> > I have cut out the below section from the doco which
> > relates to the above functionality :
> > "
> > =head2 PerlSetVar ntlmauthoritative
> >
> > Setting the ntlmauthoritative directive explicitly to 'off' allows
> > authentication
> > to be passed on to lower level modules if AuthenNTLM cannot autheticate
> > the userand the NTLM authentication scheme is used.
> > If set to 'on', which is the default, AuthenNTLM will try to verify the
> > user andif it fails will give an Authorization Required reply.
> >
> > =head2 PerlSetVar basicauthoritative
> >
> > Setting the ntlmauthoritative directive explicitly to 'off' allows
> > authentication
> > to be passed on to lower level modules if AuthenNTLM cannot autheticate
> > the userand the Basic authentication scheme is used.
> > If set to 'on', which is the default, AuthenNTLM will try to verify the
> > user andif it fails will give an Authorization Required reply.
> > "
> >
> >
> >
> > From the above description, I am hoping for the following events to take
> > place
> >
> >
> > - ntlm authentication (if fail this level go to next authentication)
> >
> > - basic authentication (if fails this level go to other
> > authentication systems)
> >
> > - read passwords in htpasswd file ( if this fails, then access not
> > granted)
> >
> >
> >
> >
> > To enable the following behaviour, I have included the following
> > directives in httpd.conf.
> >
> > - ntlmauthoritative off
> > - basicauthoritative off
> >
> >
> > I have also taken out the basic authentication to see if this works ie
> >
> > Authtype ntlm (not basic)
> >
> > But this still does fail & allow the htpasswd system to verify access.
> >
> >
> >
> > If there are changes that need to be made to the AuthenNTLM.pm, I am
> > not very well read in this area - are there any goof references.
> >
> > From my novice perspective, it appears that when NTLM is included as
> > part of the authentication, the ability for normal modules to verify
> > access (ie htpasswd file) is no longer available ie the perl module does
> > not pass back what the standard modules are expecting.
> >
> > I am sorry to be a bit unclear in my analysis, but I am fairly new to
> > apache & perl modules.
> >
> >
> > Many Thanks
> >
> >
> > Adam
> >
> >
> > original email attached
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Gerald Richter [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, 12 August 2002 5:35 PM
> > To: Kaye-Smith Adam; [EMAIL PROTECTED]
> > Subject: Re: NTLM module
> >
> >
> >
> > ----- Original Message -----
> > From: "Kaye-Smith Adam" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Monday, August 12, 2002 4:51 AM
> > Subject: NTLM module
> >
> >
> > Hello ,
> >
> >
> > >When I enter in an NT password it all works ok but when I use a
> > >user/pass from the htpasswd file, the only way it will work is that I
> > >change the above line to
> > >
> > >AuthType Basic instead of
> > >AuthType ntlm,Basic.
> > >
> > >
> > >With this change I can access passwords in htpasswd & also authenticate
> > >from an NT server but I can no longer use NTLM.
> >
> > The problem is that Basic authentication requires a password from the
> > client
> > which can be compared against your password file. In case of NTLM auth,
> > there is no password ever send over the wire, so Apache doesn't have
> > anything which it can compare against it's passwd file.
> >
> > The solution would be to derive a class from AuthenNTLM and do the
> > computation of the challage and response based on the secrets in the
> > passwd
> > file (you would need to store MD4 hashs of your passwords somewhere).
> > There
> > is a module called Perl::AuthenNTLM which may be helpfull in doing this
> > task.
> >
> > Gerald
> >
> >
> > -------------------------------------------------------------
> > Gerald Richter ecos electronic communication services gmbh
> > Internetconnect * Webserver/-design/-datenbanken * Consulting
> >
> > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
> > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131
> > WWW: http://www.ecos.de Fax: +49 6133 925152
> > -------------------------------------------------------------
> >
> >
> >
> >
> >
> >
> > ************************************************************************
> > The information in this e-mail together with any attachments is
> > intended only for the person or entity to which it is addressed
> > and may contain confidential and/or privileged material.
> >
> > Any form of review, disclosure, modification, distribution
> > and/or publication of this e-mail message is prohibited.
> >
> > If you have received this message in error, you are asked to
> > inform the sender as quickly as possible and delete this message
> > and any copies of this message from your computer and/or your
> > computer system network.
> > ************************************************************************
> >
> >
> >
> > -------------------------------------------------------------
> > Gerald Richter ecos electronic communication services gmbh
> > Internetconnect * Webserver/-design/-datenbanken * Consulting
> >
> > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
> > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131
> > WWW: http://www.ecos.de Fax: +49 6133 925152
> > -------------------------------------------------------------
> >
> >
> >
> >
>
>
