cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: How to fall back to ask for a password when NTLM single-sign-on failed

From: Wu, Mandy <mandy.wu_at_intel.com>
Date: Tue, 21 Jun 2011 11:45:58 +0800

On Tue, 2011-06-21 at 05:59 +0800, Daniel Stenberg wrote:
> I'll admit I don't quite understand what "NTLM single-sign-on" is and how it
> differs from ordinary NTLM etc,
It actually doesn't have any differece in protocal. The only thing is to
delegate the NTLM challenge/response protocol to a 'winbind' helper
in /usr/bin/ntlm_auth, so that the login user don't have to input
password again (so called single-sign-on). User's credential data is
"saved" in Samba's 'winbind' when s/he login the OS.

> Is there any way we can make test cases for this?
Will see if that is possible.
> > +#ifdef USE_NTLM_SSO
> > + if(1 &&
> > +#else
> > if(conn->bits.user_passwd &&
> > +#endif
> > ((data->req.httpcode == 401) ||
> > (conn->bits.authneg && data->req.httpcode < 300))) {
>
> This seems like a funny change. If we really can unconditionally do that check
> when USE_NTLM_SSO is set then we ought to be able to always do it and then the
> check seems pointless. For the other "ticket-based" auth types libcurl already
> forces the users to set a "fake" user in order to trigger authentication to
> happen and I guess NTLM SSO can too. (The same applies to the same change you
> did to the proxy auth code.)
A "fake" user makes sense. I was thinking of doing so, but could not
find where to start. Could you tell me which file/method I should work
on?
> Do all the auth types/test cases work with this change applied?
>
> > else {
> > +#ifdef USE_NTLM_SSO
> > + /* NTLM single-sign-on, continue please */ ;
> > +#else
> > authhost->done = TRUE;
> > authproxy->done = TRUE;
> > return CURLE_OK; /* no authentication with no user or password */
> > +#endif
>
> Does this really make sense? Just because libcurl was built to support NTLM
> SSO you can skip that code unconditionally?
Hmmm, this can be removed if I can set up a "fake" user.
> > + username = getenv("NTLMUSER");
> > + if(!username)
> > + username = getenv("USER");
> > + if(!username)
> > + goto done;
>
> I don't think getting info from environment variables like this is a good
> library API. What about using conn->user ?
I will need login username to pass to "ntlm_auth". The problem here is
whether it is proper to set conn->user as the login user. What if the
client pass a differect user to libcurl than the login user. which one
should be considered first?

And when NTLM single-sign-on fails (for example, ntlm_auth returns
invalid type3 message), how do I fall back to ask for a password to
continue authentication?

I will fix rest of stuff.

Thanks Danial for your quick response.

Thanks,
Mandy

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-06-21