Hi Robert,
On Tue, Jan 30, 2007 at 10:03:08PM +0100, Robert S. van der Boon wrote:
> I'm using subversion against a repository with mod_auth_sspi (allowing
> only NTLM authentication). If during a session the connection is
> closed, then the next request in the session fails. So far I've seen
> this in 2 scenarios: - when the server set the keepalive to false
> (because the MaxKeepAlives is exceeded) - on non-idempotent messages
> (because neon closes the connection before doing such a request).
I had wondered whether this would show up. The problem is really that
the Negotiate/NTLM auth scheme is completely broken.
> I tracked the problem down to this:
>
> 1. neon doesnot clear its sspi context / token if a connection is
> closed. Therefore the old token is used on the new connection, and the
> server does not accept that.
This can be fixed by adding a new hook, I suppose.
> 2. neon should not close the connection if it is in the sspi/auth
> negotiation for the non-idempotent messages (line 1216 in
> ne_request.c). The NTLM authentication is a multi-leg authentication,
> meaning we need at least 2 requests to do authentication. neon closes
> the connection after the first request, resulting in problem 1..
For SSPI the flag could just be cleared, it loses some reliability but
that's going to be tough luck - can you try this patch?
Index: src/ne_auth.c
===================================================================
--- src/ne_auth.c (revision 1148)
+++ src/ne_auth.c (working copy)
@@ -1240,6 +1240,11 @@
ne_free(value);
}
+#ifdef HAVE_SSPI
+ if (sess->sspi_token) {
+ ne_set_request_flag(req, NE_REQFLAG_IDEMPOTENT, 1);
+ }
+#endif
}
}
_______________________________________________
neon mailing list
[email protected]
http://mailman.webdav.org/mailman/listinfo/neon
