Bug #3043 for HTTP-DAV: Bug in HTTP::DAV when used with NTLM authentication?

Fri Jul 25 17:45:31 2003 Guest - Ticket created

Subject:

Bug in HTTP::DAV when used with NTLM authentication?

Linux, Perl 5.6.0 HTTP::DAV does not work with NTLM. Hi, I was trying to pull some information from Exchange 2000 (Contact List), which offers a WebDAV interface. I was happy to discover your WebDAV Perl module, but it did not work for me. Upon investigating I discovered Exchange uses NTLM authentication, and HTTP::DAV does not seem to work with that. Am I using it incorrectly? I found a piece if sample code that "use Authen::NTLM;" that did connect, but was not WebDAV aware. When I include your DAV code, with "use HTTP::DAV;" and make no other changes, the previously working code stops working. This (test.pl) has been borrowed from someone's code I found on google. This code works, until you uncomment out any of the "use HTTP::DAV*" lines, then it fails. NTLM requires the connection be kept open during the handshaking sequence, and therefore needs the keep_alive. I think other Microsoft server products also offer webdav interfaces, but I can not remember which ones right now. I would assume they also use Microsoft's authentication method, NTLM. Exchange does not offer the client any other authentication methods. My Exchange server is not visible from the Internet, so I am not sure how you can reproduce this. I can/will investigate if Apache can be configured to require NTLM authentication. test.pl = NTML only code mod.txt = modules installed dav.pl = does not work, it gives this error Show quoted text

unix> perl dav.pl

The keep_alive option must be enabled for NTLM authentication to work. NTLM authentication aborted. Couldn't open http://my.exchange.server.com/exchange/user1/: Unauthorized.

#!/usr/bin/perl # Snippet of code found on google. I lost the author name. use LWP::UserAgent; use Authen::NTLM; use HTTP::Request::Common; # If any of these lines are uncommented, code will start failing. #use HTTP::DAV; #use HTTP::DAV::Resource; #use HTTP::DAV::Comms; # Things learned, it is the two files DAV::Resources and DAV::Comms that break it. # It is nothing those two files include my $url = 'http://my.exchange.server.com/exchange/user1'; my $user = 'DOMAINNAME\user1'; # The auth module splits this on the '\' my $pass = 'user1'; my $ua = new LWP::UserAgent(keep_alive=>1); $ua->credentials('my.exchange.server.com:80', '', $user, $pass); $request = GET $url; $response = $ua->request($request); if ($response->is_success) {print "It worked!->" . $response->code . "\n"} else {print "It didn't work!->" . $response->code . "\n"}

Thu Feb 26 06:32:27 2004 Guest - Correspondence added

From:

Simon Flack

HTTP::DAV::UserAgent must pass a keep_alive option to LWP::UserAgent. I had to add this manually to the file HTTP/DAV/Comms.pm. See http://search.cpan.org/perldoc?LWP::Authen::Ntlm

Thu Feb 23 10:40:35 2006 Guest - Correspondence added

From:

dcount [...] gmail.com

On Thu Feb 26 06:32:27 2004, guest wrote: Show quoted text

> HTTP::DAV::UserAgent must pass a keep_alive option to

LWP::UserAgent. I Show quoted text

> had to add this manually to the file HTTP/DAV/Comms.pm. > > See http://search.cpan.org/perldoc?LWP::Authen::Ntlm

Do you have example code of how you got HTTP:DAV to work with LWP:Authen:NTLM?

Thu Feb 23 10:40:36 2006 The RT System itself - Status changed from 'new' to 'open'

Fri Mar 27 10:26:09 2009 Marek.Rouchal [...] gmx.net - Correspondence added

On Do. 23. Feb. 2006, 10:40:35, guest wrote: Show quoted text

> Do you have example code of how you got HTTP:DAV to work with > LWP:Authen:NTLM?

I managed to access a M$ sharepoint server with NTLM authentication: - install Authen::NTLM (CPAN: BUZZ/NTLM-1.05.tar.gz) - install HTTP::DAV 0.37 - apply this patch: +++ HTTP-DAV-0.37p2/DAV/Comms.pm 2009-03-27 14:44:47.110023000 +0100 @@ -326,7 +326,7 @@ #require LWP::UserAgent; sub new { - my $self = LWP::UserAgent::new(@_); + my $self = LWP::UserAgent::new(@_, keep_alive => 1); $self->agent("lwp-request/$HTTP::DAV::VERSION"); $self; } As indicated above, keep_alive is a prerequisite for NTLM authentication. On top of that, here we had to use another patch to successfully run the get() method, see RT#44617 At the same time, with another sharepoint server that does not have NTML enabled, it seems that if NTLM authentication fails, then HTTP::DAV does not fall back to basic authentication, at least not successfully. Actually, this worked fine _before_ I installed Authen::NTLM. With NTLM enabled I saw debugging output like this (plaintext password removed): Setting auth details for ishare.extra.infineon.com:443, default to 'eu\rouchal', '...' new_resource: For https://ishare.extra.infineon.com/sites/ETS_DFA_FE/Shared%20Documents/Interfaces-Responsibilities/, creating new resource Using user/pass combo: eu\rouchal .... For , https://ishare.extra.infineon.com/sites/ETS_DFA_FE/Shared%20Documents/Interfaces-Responsibilities/ Using user/pass combo: eu\rouchal .... For , https://ishare.extra.infineon.com/sites/ETS_DFA_FE/Shared%20Documents/Interfaces-Responsibilities/ Using user/pass combo: eu\rouchal .... For , https://ishare.extra.infineon.com/sites/ETS_DFA_FE/Shared%20Documents/Interfaces-Responsibilities/ Using user/pass combo: eu\rouchal .... For , https://ishare.extra.infineon.com/sites/ETS_DFA_FE/Shared%20Documents/Interfaces-Responsibilities/ Using user/pass combo: eu\rouchal .... For , https://ishare.extra.infineon.com/sites/ETS_DFA_FE/Shared%20Documents/Interfaces-Responsibilities/ Using user/pass combo: eu\rouchal .... For , https://ishare.extra.infineon.com/sites/ETS_DFA_FE/Shared%20Documents/Interfaces-Responsibilities/ Using user/pass combo: eu\rouchal .... For , https://ishare.extra.infineon.com/sites/ETS_DFA_FE/Shared%20Documents/Interfaces-Responsibilities/ Couldn't open https://ishare.extra.infineon.com/sites/ETS_DFA_FE/Shared%20Documents/Interfaces-Responsibilities: Unauthorized. Here is the debugging output from the logfile: Fri Mar 27 15:21:39 2009 PROPFIND REQUEST>> PROPFIND https://ishare.extra.infineon.com/sites/ETS_DFA_FE/Shared%20Documents/Interfaces-Responsibilities/ HTTP/1.1 Host: ishare.extra.infineon.com:443 Content-Type: text/xml Depth: 0 <?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:allprop/></D:propfind> PROPFIND RESPONSE>> HTTP/1.1 401 Unauthorized Date: Fri, 27 Mar 2009 14:21:21 GMT Server: Microsoft-IIS/6.0 WWW-Authenticate: NTLM WWW-Authenticate: Basic realm="ishare.extra.infineon.com" Content-Length: 1539 Content-Type: text/html Content-Type: text/html; charset=Windows-1252 Client-Date: Fri, 27 Mar 2009 14:21:39 GMT Client-Peer: 172.28.182.203:443 Client-Response-Num: 7 Client-SSL-Cert-Issuer: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign Client-SSL-Cert-Subject: /C=DE/ST=Bavaria/L=Munich/O=Infineon Technologies Aktiengesellschaft/OU=IFKL IT OS PA AP/CN=ishare.extra.infineon.com Client-SSL-Cipher: RC4-MD5 Client-SSL-Warning: Peer certificate not verified Client-Warning: Credentials for 'eu\rouchal' failed before MicrosoftSharePointTeamServices: 12.0.0.6219 Title: You are not authorized to view this page X-Powered-By: ASP.NET

Thu Sep 03 13:05:33 2009 klohner [...] cpan.org - Correspondence added

Here's an example that works on a Windows XP ActivePerl 5.8.9 install with David Bussenschutt's "NTLM" module installed (http://search.cpan.org/~BUZZ/NTLM/) to get data from a SharePoint 2007 install: <code> #!/usr/bin/perl use strict; use HTTP::DAV; use HTTP::DAV::Comms; my $user = "username"; my $pass = "password"; my $url = 'http://my.sharepoint.site/'; my $ua = HTTP::DAV::UserAgent->new(keep_alive => 1); my $d = HTTP::DAV->new(-useragent => $ua); $d->credentials( -user=>"\\".$user.":1", -pass => $pass, -url =>$url); $d->open(-url=>$url); if (!$d->is_success) { print " Open Error: ".$d->message()."\n" } my $r = $d->propfind( -url=>$url, -depth=>1); if ( $d->is_success && $r ) { if ( $r->is_collection ) { print "Collection\n" ; print $r->get_resourcelist->as_string . "\n"; } else { print "Not A Collection\n" ; print $r->get_property("getcontentlength") ."\n"; } } else { print "PROPFIND failed.\n" ; print $d->message()."\n"; } </code>

#!/usr/bin/perl use strict; use HTTP::DAV; use HTTP::DAV::Comms; my $user = "username"; my $pass = "password"; my $url = 'http://my.sharepoint.site/'; my $ua = HTTP::DAV::UserAgent->new(keep_alive => 1); my $d = HTTP::DAV->new(-useragent => $ua); $d->credentials( -user=>"\\".$user.":1", -pass => $pass, -url =>$url); $d->open(-url=>$url); if (!$d->is_success) { print " Open Error: ".$d->message()."\n" } my $r = $d->propfind( -url=>$url, -depth=>1); if ( $d->is_success && $r ) { if ( $r->is_collection ) { print "Collection\n" ; print $r->get_resourcelist->as_string . "\n"; } else { print "Not A Collection\n" ; print $r->get_property("getcontentlength") ."\n"; } } else { print "PROPFIND failed.\n" ; print $d->message()."\n"; }