Skip Menu |

This queue is for tickets about the NTLM CPAN distribution.

Report information
The Basics
Id: 70703
Status: resolved
Priority: 0/
Queue: NTLM
People
Owner: NBEBOUT [...] cpan.org
Requestors: yimin.shei [...] drdc-rddc.gc.ca
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Sep 02 15:23:29 2011 yimin.shei [...] drdc-rddc.gc.ca - Ticket created
Subject: Authen::NTLM patch for version 1.08
Date: Fri, 02 Sep 2011 13:23:14 -0600
To: bug-NTLM [...] rt.cpan.org
From: yimin <yimin.shei [...] drdc-rddc.gc.ca>
I've been using the AUTHEN::NTLM cpan module indirectly through LWP::Authen::Ntlm, and I'm submitting a patch for improved functionality. I understand that the initial release was probably intended for authenticating against mail servers, but as I'm using this module to authenticate against a Microsoft Sharepoint server, I've run into some difficulties. The simple explanation is that Sharepoint's ntlm authentication likes to authenticate the way that Authen::NTLM is written for ntlm v1 (or $ntlm_v2=0), except for the one thing: $domain=&unicode($domain at line 289) . With Sharepoint, specifying $ntlm_v2=1 through ntlmv2(1) actually does not work, because this then uses $lmResp = &lmv2Encrypt($c_info->{data}); $ntResp = &ntv2Encrypt($c_info->{data}, $c_info->{target_data}); $flags = pack($msg3_tl, $ntlm_v2_msg3_flags); which does not work for Sharepoint. Sharepoint prefers the v1 version: $lmResp = &lmEncrypt($c_info->{data}); $ntResp = &ntEncrypt($c_info->{data}); $flags = pack($msg3_tl, $c_info->{flags}); On online forums, the 'fix' is to replace $domain=substr (....) with $domain = &unicode($domain), but this might break the current functionality with ntlm version 1. Therefore, I suggest that we leave the current functioning code as is, but add a case for $ntlm_v2 = 'sp', by setting ntlmv2('sp'). Since ntlmv2() does not care about input type, we can add future functionality through this. Why 'sp'? At first I thought we can use any arbitrary number, but then that might collide with actual NTLM 'standards' (though with microsoft, there's really no such thing). By using 'sp' though, I have to change match operators for $ntlm_v2 throughout the module to eq, and not use '==' or '>'. After my patch, anyone who wishes to authenticate agaist Sharepoint can invoke in their script / module: use Authen::NTLM qw/ntlmv2/; ntlmv2('sp'); which will essentially run the online forum 'fix' without breaking current functionality. Yours, Yimin Windows Sharepoint Services 3.0 perl, 5.0101 AUTHEN::NTLM 1.08 Linux 2.6.32-33-generic #72-Ubuntu x86_64 GNU/Linux

Message body is not shown because sender requested not to inline it.

  Thu Sep 08 22:30:12 2011 NBEBOUT [...] cpan.org - Taken
  Thu Sep 08 22:30:48 2011 NBEBOUT [...] cpan.org - Correspondence added
Fixed in 1.09 On Fri Sep 02 15:23:29 2011, yimin.shei@drdc-rddc.gc.ca wrote: Show quoted text
> I've been using the AUTHEN::NTLM cpan module indirectly through > LWP::Authen::Ntlm, and I'm submitting a patch for improved > functionality. > > I understand that the initial release was probably intended for > authenticating against mail servers, but as I'm using this module to > authenticate against a Microsoft Sharepoint server, I've run into some > difficulties. > > The simple explanation is that Sharepoint's ntlm authentication likes to > authenticate the way that Authen::NTLM is written for ntlm v1 (or > $ntlm_v2=0), except for the one thing: $domain=&unicode($domain at line > 289) . > > With Sharepoint, specifying $ntlm_v2=1 through ntlmv2(1) actually does > not work, because this then uses > > $lmResp = &lmv2Encrypt($c_info->{data}); > $ntResp = &ntv2Encrypt($c_info->{data}, $c_info->{target_data}); > $flags = pack($msg3_tl, $ntlm_v2_msg3_flags); > > which does not work for Sharepoint. Sharepoint prefers the v1 version: > > $lmResp = &lmEncrypt($c_info->{data}); > $ntResp = &ntEncrypt($c_info->{data}); > $flags = pack($msg3_tl, $c_info->{flags}); > > On online forums, the 'fix' is to replace $domain=substr (....) with > $domain = &unicode($domain), but this might break the current > functionality with ntlm version 1. > > Therefore, I suggest that we leave the current functioning code as is, > but add a case for $ntlm_v2 = 'sp', by setting ntlmv2('sp'). Since > ntlmv2() does not care about input type, we can add future functionality > through this. Why 'sp'? At first I thought we can use any arbitrary > number, but then that might collide with actual NTLM 'standards' (though > with microsoft, there's really no such thing). By using 'sp' though, I > have to change match operators for $ntlm_v2 throughout the module to eq, > and not use '==' or '>'. > > After my patch, anyone who wishes to authenticate agaist Sharepoint can > invoke in their script / module: > > use Authen::NTLM qw/ntlmv2/; ntlmv2('sp'); > > which will essentially run the online forum 'fix' without breaking > current functionality. > > Yours, > > Yimin > > Windows Sharepoint Services 3.0 > perl, 5.0101 > AUTHEN::NTLM 1.08 > Linux 2.6.32-33-generic #72-Ubuntu x86_64 GNU/Linux > > >
  Thu Sep 08 22:30:49 2011 The RT System itself - Status changed from 'new' to 'open'
  Thu Sep 08 22:30:49 2011 NBEBOUT [...] cpan.org - Status changed from 'open' to 'resolved'