> > if you check the source of the Smb implemenation of the module, you would > see that it performs basically the same function as NTLM. I agree with you > that it does not fit the Microsoft definition of NTLM, so it is not a NTLM > implementation. If ones purpose is to pass the protection by providing a > valid username/password pair in a NT domain, then one does not have to > follow that definition and the current Smb implementation is one of the > possible solutions. >
The point is not how the password is passed to the nt server, the point is how the browser and the web server exchange the credenticals. With basic auth and with your module the user enters a username and a password and you use different backends to verify this. With NTLM authentication the Internet Exploerer and the Web server uses a challange-response procdure to exchange credenticals (and IE does this without asking the user, so you get logged on with your windows username, which safes the user some extra typing). They never send the password over the wire, so you don't have a password to send/verify to your backend. What you talking about is the verification of the password between the web server and the nt domain controller, thats something different. Gerald > > Peter > > ----- Original Message ----- > From: "Gerald Richter" <[EMAIL PROTECTED]> > To: "Peter Bi" <[EMAIL PROTECTED]>; "Kaye-Smith Adam" > <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Tuesday, August 13, 2002 12:53 AM > Subject: Re: NTLM module > > > > > > > > > You may check Apache::Access module at http://modperl.home.att.net in > > which > > > I tried to provide a general solution to several popular authentication > > > issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. > > > > > > > I think you missed the point (or I missunderstood your module): The > problem > > is not doing the authentication against whatever, but doing NTLM > > authetication. With NTLM auth you don't get a password from the client, so > > how would compare the password that you don't have against "SMB, LDAP, > IMAP, > > NIS, FTP, LWP and DBI etc." ? > > > > The only solution is to reimplement the challage/response that NTLM does. > > (The module Authen::Perl::NTLM maybe helpfull here). To do this you need > > either the password in clear text to compute the nt password hash (a sort > of > > md4 hash) or the precomputed nt password hash. You won't have this with > > LDAP, IMAP, NIS, FTP, LWP and DBI etc.... > > > > Gerald > > > > ------------------------------------------------------------- > > Gerald Richter ecos electronic communication services gmbh > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > ------------------------------------------------------------- > > > > > > > Cheers. > > > > > > > > > Peter Bi > > > > > > ----- Original Message ----- > > > From: "Gerald Richter" <[EMAIL PROTECTED]> > > > To: "Kaye-Smith Adam" <[EMAIL PROTECTED]> > > > Cc: <[EMAIL PROTECTED]> > > > Sent: Monday, August 12, 2002 9:12 PM > > > Subject: Re: NTLM module > > > > > > > > > > > > > > >According to the documentation, if you set NTMLauthoritative to off, > > > > >then if NTLM authorization fails, then it should pass it on to the > > lower > > > > >level modules. > > > > > > > > Yes, that's true and it works like you describe it. The point that you > > are > > > > missing is (and that I have tried to show in my last mail), that > during > > > NTLM > > > > authentication there is no password! NTLM never passes the password to > > the > > > > server, so also the control gets passed to the lower level module, > this > > > > lower level module must be able to handle NTLM. The default Apache > auth > > > > handler isn't able to do so. It expects a password, which it doesn't > > gets > > > > because the client never has send it. > > > > > > > > Hope it's a little bit more clear now > > > > > > > > Gerald > > > > > > > > ------------------------------------------------------------- > > > > Gerald Richter ecos electronic communication services gmbh > > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > I have cut out the below section from the doco which > > > > relates to the above functionality : > > > > " > > > > =head2 PerlSetVar ntlmauthoritative > > > > > > > > Setting the ntlmauthoritative directive explicitly to 'off' allows > > > > authentication > > > > to be passed on to lower level modules if AuthenNTLM cannot > autheticate > > > > the userand the NTLM authentication scheme is used. > > > > If set to 'on', which is the default, AuthenNTLM will try to verify > the > > > > user andif it fails will give an Authorization Required reply. > > > > > > > > =head2 PerlSetVar basicauthoritative > > > > > > > > Setting the ntlmauthoritative directive explicitly to 'off' allows > > > > authentication > > > > to be passed on to lower level modules if AuthenNTLM cannot > autheticate > > > > the userand the Basic authentication scheme is used. > > > > If set to 'on', which is the default, AuthenNTLM will try to verify > the > > > > user andif it fails will give an Authorization Required reply. > > > > " > > > > > > > > > > > > > > > > From the above description, I am hoping for the following events to > take > > > > place > > > > > > > > > > > > - ntlm authentication (if fail this level go to next > authentication) > > > > > > > > - basic authentication (if fails this level go to other > > > > authentication systems) > > > > > > > > - read passwords in htpasswd file ( if this fails, then access not > > > > granted) > > > > > > > > > > > > > > > > > > > > To enable the following behaviour, I have included the following > > > > directives in httpd.conf. > > > > > > > > - ntlmauthoritative off > > > > - basicauthoritative off > > > > > > > > > > > > I have also taken out the basic authentication to see if this works ie > > > > > > > > Authtype ntlm (not basic) > > > > > > > > But this still does fail & allow the htpasswd system to verify access. > > > > > > > > > > > > > > > > If there are changes that need to be made to the AuthenNTLM.pm, I am > > > > not very well read in this area - are there any goof references. > > > > > > > > From my novice perspective, it appears that when NTLM is included as > > > > part of the authentication, the ability for normal modules to verify > > > > access (ie htpasswd file) is no longer available ie the perl module > does > > > > not pass back what the standard modules are expecting. > > > > > > > > I am sorry to be a bit unclear in my analysis, but I am fairly new to > > > > apache & perl modules. > > > > > > > > > > > > Many Thanks > > > > > > > > > > > > Adam > > > > > > > > > > > > original email attached > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: Gerald Richter [mailto:[EMAIL PROTECTED]] > > > > Sent: Monday, 12 August 2002 5:35 PM > > > > To: Kaye-Smith Adam; [EMAIL PROTECTED] > > > > Subject: Re: NTLM module > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Kaye-Smith Adam" <[EMAIL PROTECTED]> > > > > To: <[EMAIL PROTECTED]> > > > > Sent: Monday, August 12, 2002 4:51 AM > > > > Subject: NTLM module > > > > > > > > > > > > Hello , > > > > > > > > > > > > >When I enter in an NT password it all works ok but when I use a > > > > >user/pass from the htpasswd file, the only way it will work is that I > > > > >change the above line to > > > > > > > > > >AuthType Basic instead of > > > > >AuthType ntlm,Basic. > > > > > > > > > > > > > > >With this change I can access passwords in htpasswd & also > authenticate > > > > >from an NT server but I can no longer use NTLM. > > > > > > > > The problem is that Basic authentication requires a password from the > > > > client > > > > which can be compared against your password file. In case of NTLM > auth, > > > > there is no password ever send over the wire, so Apache doesn't have > > > > anything which it can compare against it's passwd file. > > > > > > > > The solution would be to derive a class from AuthenNTLM and do the > > > > computation of the challage and response based on the secrets in the > > > > passwd > > > > file (you would need to store MD4 hashs of your passwords somewhere). > > > > There > > > > is a module called Perl::AuthenNTLM which may be helpfull in doing > this > > > > task. > > > > > > > > Gerald > > > > > > > > > > > > ------------------------------------------------------------- > > > > Gerald Richter ecos electronic communication services gmbh > > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ************************************************************************ > > > > The information in this e-mail together with any attachments is > > > > intended only for the person or entity to which it is addressed > > > > and may contain confidential and/or privileged material. > > > > > > > > Any form of review, disclosure, modification, distribution > > > > and/or publication of this e-mail message is prohibited. > > > > > > > > If you have received this message in error, you are asked to > > > > inform the sender as quickly as possible and delete this message > > > > and any copies of this message from your computer and/or your > > > > computer system network. > > > > > ************************************************************************ > > > > > > > > > > > > > > > > ------------------------------------------------------------- > > > > Gerald Richter ecos electronic communication services gmbh > > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > >
