[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_ntlm_bind patch from Evolution

Russ Allbery wrote:
Howard Chu <hyc@symas.com> writes:

If they actually wanted OpenLDAP to include these functions, the author
of the patch should have contributed it to the ITS.

Instead, they apparently built their own OpenLDAP RPMs with the patch, at least for a while. (Google for evo-openldap.) It looks like they're no longer doing this and Fedora is just linking with the regular OpenLDAP RPMs and disabling this functionality. Most of the mailing list traffic I can find about it is from 2004.

I don't really get what happened here.  The thread at:


seems to be the most relevant, and there's discussion about getting NTLM
support into OpenLDAP, but then nothing apparently happened?

There's no NTLM submission anywhere in ITS, at least. I guess with the mention of SASL/NTLM support the conversation died.

The changelog entry for evolution-data-server saying that they were
switching back to the regular OpenLDAP libraries references:


but there's not much in the way of useful information there.

The Fedora source RPM has this fascinating tidbit:

| These files are here specifically for use in building the
| evolution-connector package, and should not be used for any other
| purpose.

It's really remarkable how much work people seem to be going to in this
area without coordinating with you at all.

Never ceases to amaze me...

But without a published spec, I don't see any reason for us to adopt
this patch. Where is the spec that documents this feature?

I doubt there is any, given the quality of the discussion around it.

Looking at it, it looks like NTLM is a multi-step authentication protocol
similar to many of the SASL mechanisms, and this API essentially sets up a
callback out of the OpenLDAP library to handle each step of the NTLM
authentication.  There is separate NTLM authentication code in
evolution-data-server that does the actual NTLM processing and feeds the
results back into the function added by this patch.

I'm guessing that adding another non-SASL authentication mechanism to
OpenLDAP, even should someone contribute back all of the NTLM code, isn't
looking horribly attractive.  I'm going to file a bug against the Debian
evolution-data-server package and ask them if they think they still need
this support.  The path of least resistance looks to me to be dropping
this patch and the corresponding NTLM support from e-d-s and only
supporting servers that can do SASL or simple binds.

Yes, since it's described as only being needed to bind to older servers, it seems pretty pointless.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/