[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_ntlm_bind patch from Evolution

Howard Chu <hyc@symas.com> writes:

> If they actually wanted OpenLDAP to include these functions, the author
> of the patch should have contributed it to the ITS.

Instead, they apparently built their own OpenLDAP RPMs with the patch, at
least for a while.  (Google for evo-openldap.)  It looks like they're no
longer doing this and Fedora is just linking with the regular OpenLDAP
RPMs and disabling this functionality.  Most of the mailing list traffic I
can find about it is from 2004.

I don't really get what happened here.  The thread at:


seems to be the most relevant, and there's discussion about getting NTLM
support into OpenLDAP, but then nothing apparently happened?

The changelog entry for evolution-data-server saying that they were
switching back to the regular OpenLDAP libraries references:


but there's not much in the way of useful information there.

The Fedora source RPM has this fascinating tidbit:

| These files are here specifically for use in building the
| evolution-connector package, and should not be used for any other
| purpose.
| In order to authenticate to older servers, an LDAP client must perform
| an ntlm_bind operation instead of a simple or SASL bind.  The ntlm_bind
| is not the same thing as performing SASL authentication using NTLM as
| the mechanism, which wouldn't require any patching.  Newer servers
| properly support DIGEST-MD5, so this requirement only applies to clients
| which want to authenticate to older servers, and this requirement will
| hopefully go away at some point.
| Because the changes involved both modify the libldap ABI and add
| non-standardized messages to the protocol, changed libraries are built
| statically and stashed in a directory where they will not be found by a
| compiler using the default search paths.
| The openldap-devel package provides "openldap-evolution-devel" if it
| includes a patched version of these libraries in such a directory.
| Packages which depend on these libraries should BuildRequire this
| virtual provision so that they don't fail to compile or get miscompiled
| if the libraries are not present.
| If/when the evolution-connector package stops requiring these changes,
| the changed libraries will simply disappear.

It's really remarkable how much work people seem to be going to in this
area without coordinating with you at all.

> But without a published spec, I don't see any reason for us to adopt
> this patch. Where is the spec that documents this feature?

I doubt there is any, given the quality of the discussion around it.

Looking at it, it looks like NTLM is a multi-step authentication protocol
similar to many of the SASL mechanisms, and this API essentially sets up a
callback out of the OpenLDAP library to handle each step of the NTLM
authentication.  There is separate NTLM authentication code in
evolution-data-server that does the actual NTLM processing and feeds the
results back into the function added by this patch.

I'm guessing that adding another non-SASL authentication mechanism to
OpenLDAP, even should someone contribute back all of the NTLM code, isn't
looking horribly attractive.  I'm going to file a bug against the Debian
evolution-data-server package and ask them if they think they still need
this support.  The path of least resistance looks to me to be dropping
this patch and the corresponding NTLM support from e-d-s and only
supporting servers that can do SASL or simple binds.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>