This queue is for tickets about the NTLM CPAN distribution.

Report information
The Basics
Id:
70703
Status:
resolved
Priority:
Low/Low
Queue:

People
Owner:
NBEBOUT [...] cpan.org
Requestors:
yimin.shei [...] drdc-rddc.gc.ca
Cc:
AdminCc:

BugTracker
Severity:
(no value)
Broken in:
(no value)
Fixed in:
(no value)



Subject: Authen::NTLM patch for version 1.08
Date: Fri, 02 Sep 2011 13:23:14 -0600
To: bug-NTLM@rt.cpan.org
From: yimin <yimin.shei@drdc-rddc.gc.ca>
I've been using the AUTHEN::NTLM cpan module indirectly through LWP::Authen::Ntlm, and I'm submitting a patch for improved functionality. I understand that the initial release was probably intended for authenticating against mail servers, but as I'm using this module to authenticate against a Microsoft Sharepoint server, I've run into some difficulties. The simple explanation is that Sharepoint's ntlm authentication likes to authenticate the way that Authen::NTLM is written for ntlm v1 (or $ntlm_v2=0), except for the one thing: $domain=&unicode($domain at line 289) . With Sharepoint, specifying $ntlm_v2=1 through ntlmv2(1) actually does not work, because this then uses $lmResp = &lmv2Encrypt($c_info->{data}); $ntResp = &ntv2Encrypt($c_info->{data}, $c_info->{target_data}); $flags = pack($msg3_tl, $ntlm_v2_msg3_flags); which does not work for Sharepoint. Sharepoint prefers the v1 version: $lmResp = &lmEncrypt($c_info->{data}); $ntResp = &ntEncrypt($c_info->{data}); $flags = pack($msg3_tl, $c_info->{flags}); On online forums, the 'fix' is to replace $domain=substr (....) with $domain = &unicode($domain), but this might break the current functionality with ntlm version 1. Therefore, I suggest that we leave the current functioning code as is, but add a case for $ntlm_v2 = 'sp', by setting ntlmv2('sp'). Since ntlmv2() does not care about input type, we can add future functionality through this. Why 'sp'? At first I thought we can use any arbitrary number, but then that might collide with actual NTLM 'standards' (though with microsoft, there's really no such thing). By using 'sp' though, I have to change match operators for $ntlm_v2 throughout the module to eq, and not use '==' or '>'. After my patch, anyone who wishes to authenticate agaist Sharepoint can invoke in their script / module: use Authen::NTLM qw/ntlmv2/; ntlmv2('sp'); which will essentially run the online forum 'fix' without breaking current functionality. Yours, Yimin Windows Sharepoint Services 3.0 perl, 5.0101 AUTHEN::NTLM 1.08 Linux 2.6.32-33-generic #72-Ubuntu x86_64 GNU/Linux

Message body is not shown because sender requested not to inline it.

Fixed in 1.09 On Fri Sep 02 15:23:29 2011, yimin.shei@drdc-rddc.gc.ca wrote:
Show quoted text
> I've been using the AUTHEN::NTLM cpan module indirectly through > LWP::Authen::Ntlm, and I'm submitting a patch for improved > functionality. > > I understand that the initial release was probably intended for > authenticating against mail servers, but as I'm using this module to > authenticate against a Microsoft Sharepoint server, I've run into some > difficulties. > > The simple explanation is that Sharepoint's ntlm authentication likes to > authenticate the way that Authen::NTLM is written for ntlm v1 (or > $ntlm_v2=0), except for the one thing: $domain=&unicode($domain at line > 289) . > > With Sharepoint, specifying $ntlm_v2=1 through ntlmv2(1) actually does > not work, because this then uses > > $lmResp = &lmv2Encrypt($c_info->{data}); > $ntResp = &ntv2Encrypt($c_info->{data}, $c_info->{target_data}); > $flags = pack($msg3_tl, $ntlm_v2_msg3_flags); > > which does not work for Sharepoint. Sharepoint prefers the v1 version: > > $lmResp = &lmEncrypt($c_info->{data}); > $ntResp = &ntEncrypt($c_info->{data}); > $flags = pack($msg3_tl, $c_info->{flags}); > > On online forums, the 'fix' is to replace $domain=substr (....) with > $domain = &unicode($domain), but this might break the current > functionality with ntlm version 1. > > Therefore, I suggest that we leave the current functioning code as is, > but add a case for $ntlm_v2 = 'sp', by setting ntlmv2('sp'). Since > ntlmv2() does not care about input type, we can add future functionality > through this. Why 'sp'? At first I thought we can use any arbitrary > number, but then that might collide with actual NTLM 'standards' (though > with microsoft, there's really no such thing). By using 'sp' though, I > have to change match operators for $ntlm_v2 throughout the module to eq, > and not use '==' or '>'. > > After my patch, anyone who wishes to authenticate agaist Sharepoint can > invoke in their script / module: > > use Authen::NTLM qw/ntlmv2/; ntlmv2('sp'); > > which will essentially run the online forum 'fix' without breaking > current functionality. > > Yours, > > Yimin > > Windows Sharepoint Services 3.0 > perl, 5.0101 > AUTHEN::NTLM 1.08 > Linux 2.6.32-33-generic #72-Ubuntu x86_64 GNU/Linux > > >


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.