Hi, we've found the Windows NTLM SSPI-related code to
be useful, but have found a couple of issues:
1) If the authentication attempt fails, the client
libraries don't seem to quit trying... The patch to
ne_sspi.c seems to fix this. (this was detected when a
machine wasn't part of the domain).
2) If a user is logged into a machine that's NOT part
of the domain, however the user has domain
credentials, they should be able to provide those
credentials programmatically (or be prompted in a like
manner to that for the basic and digest methods
supporting this currently). The changes to ne_auth.c
and ne_sspi.c accommodate this.
3) sometimes the DLL that one must use is called
different things on different platorms. I added the
ability to try an alternate if it fails the first
library.
-Brian Moran
Centeris Corporation
diff src/ne_auth.c src1/ne_auth.c
4c4
<
---
>
512a513
>
518c519,520
<
---
> char password[NE_ABUFSIZ];
>
527,528c529,540
< }
<
---
> if (!get_credentials(sess, password)) {
> /* username is DOMAIN\USER, password is password
*/
> /* process that into the security context */
> AltCredsForSSPIContext(sess->sspi_context,
> sess->username,
> sess->realm,
>
> sess->scheme,password);
>
> }
>
> }
>
943a956
>
972a986,991
> #if 0
> if (get_credentials(sess, password)) {
> /* Failed to get credentials */
> return -1;
> }
> #endif
975c994,1000
< }
---
> #if 0
> if (get_credentials(sess, password)) {
> /* Failed to get credentials */
> return -1;
> }
> #endif
> }
diff src/ne_sspi.c src1/ne_sspi.c
23c23
<
---
> #include "tchar.h"
31a32
>
39a41
> SEC_WINNT_AUTH_IDENTITY *alt_creds; /* alternate to
default credentials */
49a52,53
>
>
72a77,158
> /* convert to SSPI-friendly version */
>
>
> int AltCredsForSSPIContext(SSPIContext *sspi,char
*username,char *realm,char *scheme, char *password) {
> /* todo - create the security structure, put the
info into it */
> SEC_WINNT_AUTH_IDENTITY *pAuthData;
> int totalsize;
> char *domainpart,*userpart,*sbuff;
> char *lusername, *lpw;
> if (!username || !password) return -1;
>
> lusername = ne_calloc(strlen(username)+1);
> lpw = password;
>
> if (!lpw || !lusername) return -1;
>
> strcpy(lusername,username);
>
> /* todo - sort out [EMAIL PROTECTED] instead of
domain\USER */
>
> if ((userpart = strchr(lusername, '\\')) != NULL) {
> *userpart = '\0';
> domainpart = lusername;
> userpart++;
> } else {
> /* not old-style */
> if ((domainpart = strchr(lusername, '@')) != NULL)
{
> *domainpart = '\0';
> userpart = lusername;
> domainpart++;
> } else {
> NE_DEBUG(NE_DBG_HTTPAUTH,
> "sspi: No domain specified with
credentials");
> ne_free(lusername);
> return -1;
> }
> }
> totalsize
=sizeof(SEC_WINNT_AUTH_IDENTITY)+strlen(userpart)+strlen(domainpart)+strlen(lpw)+15;
>
> pAuthData=ne_calloc(totalsize);
> if (!pAuthData) { ne_free(lusername); return -1; }
>
> pAuthData->Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
> pAuthData->UserLength = strlen(userpart);
> pAuthData->DomainLength = strlen(domainpart);
> pAuthData->PasswordLength = strlen(lpw);
>
> NE_DEBUG(NE_DBG_HTTPAUTH,
> "sspi: Credentials Username %s
Domainname %s\n",
> userpart,
> domainpart);
>
> sbuff = ((char
*)pAuthData)+sizeof(SEC_WINNT_AUTH_IDENTITY);
>
> strncpy(sbuff,userpart,pAuthData->UserLength+1);
> pAuthData->User = sbuff;
> sbuff += (pAuthData->UserLength+1);
>
>
strncpy(sbuff,domainpart,pAuthData->DomainLength+1);
> pAuthData->Domain = sbuff;
> sbuff += (pAuthData->DomainLength+1);
>
> strncpy(sbuff,lpw,pAuthData->PasswordLength+1);
> pAuthData->Password = sbuff;
> sbuff += (pAuthData->PasswordLength+1);
>
> sspi->alt_creds = pAuthData;
> NE_DEBUG(NE_DBG_HTTPAUTH,
> "sspi: Credentials Username %s %x
Domainname %s %x size %d\n",
> pAuthData->User,pAuthData->User,
> pAuthData->Domain,pAuthData->Domain,
>
> totalsize);
> return 0;
> }
>
> int ne_provide_alt_creds(void *cp,char *username,
char *pw){
> SSPIContext *mysspi;
>
> if (getContext(cp,&mysspi)) { return -1; }
>
AltCredsForSSPIContext(mysspi,username,NULL,NULL,pw);
> }
129c215
< hSecDll = LoadLibrary("security.dll");
---
> hSecDll = LoadLibrary(_TEXT("security.dll"));
132c218,229
< NE_DEBUG(NE_DBG_HTTPAUTH, "sspi: Loading of
security dll [fail].\n");
---
> NE_DEBUG(NE_DBG_HTTPAUTH, "sspi: Loading of
security dll [fail %d]. Trying
alternate\n",GetLastError());
> hSecDll = LoadLibrary(_TEXT("secur32.dll"));
> if (hSecDll != NULL) {
> NE_DEBUG(NE_DBG_HTTPAUTH, "sspi: Loading of
secur32.dll [ok]. \n");
> initDll(hSecDll);
> if (initialized == 0) {
> initialized = 1;
> }
> } else {
> NE_DEBUG(NE_DBG_HTTPAUTH, "sspi: Loading of
secur32.dll [fail %d]. \n",GetLastError());
> }
>
182c279
< static int acquireCredentialsHandle(CredHandle *
credentials, char *package)
---
> static int acquireCredentialsHandle(CredHandle *
credentials, char *package, SSPIContext *sspic)
185a283
> SEC_WINNT_AUTH_IDENTITY *pAuthData;
187c285,296
< status =
---
> pAuthData = NULL;
>
> if (sspic->alt_creds) {
> pAuthData = sspic->alt_creds;
> NE_DEBUG(NE_DBG_HTTPAUTH,
> "sspi: AcquireCredentialsHandle with Username %s,
Domain %s\n",
> sspic->alt_creds->User,
> sspic->alt_creds->Domain);
>
> }
> status =
189c298
< NULL, NULL,
NULL, NULL, credentials,
---
> NULL,
pAuthData, NULL, NULL, credentials,
360a470
>
362c472
<
---
>
372a483,486
>
NE_DEBUG(NE_DBG_HTTPAUTH,"ne_sspi_create_context:
server name is %s, NTLM=%d\n",
> serverName,
> ntlm);
>
385a500
>
memset(&sspiContext->credentials,0,sizeof(sspiContext->credentials));
427a543,546
> if (sspiContext->alt_creds ) {
> ne_free(sspiContext->alt_creds);
> sspiContext->alt_creds = NULL;
> }
449a569,571
> NE_DEBUG(NE_DBG_HTTPAUTH,"ne_sspi_authenticate:
token [%s]\n",base64Token);
>
>
466c588,593
< if (base64Token) {
---
> if (!base64Token &&
(sspiContext->credentials.dwLower ||
sspiContext->credentials.dwUpper)) {
> NE_DEBUG(NE_DBG_HTTPAUTH,"ne_sspi_authenticate:
have start over, but previous credentials. must have
failed\n");
> return -1;
> }
>
> if (base64Token) {
499c626
< (&sspiContext->credentials,
sspiContext->mechanism) != SEC_E_OK) {
---
> (&sspiContext->credentials,
sspiContext->mechanism, sspiContext) != SEC_E_OK) {
544a672
> NE_DEBUG(NE_DBG_HTTPAUTH,"ne_sspi_authenticate:
response token [%s]\n",*responseToken);
_______________________________________________
neon mailing list
[email protected]
http://mailman.webdav.org/mailman/listinfo/neon
