[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [serf-dev] [Patch] Adding NTLM Support to Serf - Work in progress / Subversion regression

From: Mark Phippard <markphip_at_gmail.com>
Date: Thu, 20 Jun 2013 10:00:43 -0400

On Thu, Jun 20, 2013 at 9:52 AM, Ivan Zhakov <ivan_at_visualsvn.com> wrote:
> On Thu, Jun 20, 2013 at 5:44 PM, Mark Phippard <markphip_at_gmail.com> wrote:
>> On Thu, Jun 20, 2013 at 9:40 AM, Ivan Zhakov <ivan_at_visualsvn.com> wrote:
>>> On Thu, Jun 20, 2013 at 5:30 PM, Bert Huijben <bert_at_qqmail.nl> wrote:
>>> [...]
>>>
>>>> The patch to serf 1.2.1 attached to this mail is a (tiny bit cleaned up)
>>>> hack based on the old code in ra_serf, some code from an old serf branch and
>>>> the new in serf auth_kerb code, which re-enables the NTLM authentication
>>>> scheme in serf.
>>>>
>>>>
>>> I'm -1 for such patch:
>>> * It duplicates auth_kerb.c which intended to have the same auth code
>>> on different platforms with plugable platforms specific code
>>>
>>> * serf should not try use NTLM authentication if server supports Negotiate.
>>
>> So you are saying you do not think Serf should support mod_auth_sspi
>> and do not consider this a regression? Could you explain that
>> position with more detail?
> Mark,
>
> You didn't understand me. There are two HTTP authentication schemes
> for automatic authentication:
> * NTLM
> Uses Windows NTLM authentication
>
> * Negotiate (SPNEGO)
> Uses NTLM or Kerberos depending of what is supported by server and client.
>
> NTLM is not documented AFAIK, while Negotiate (SPNEGO) is documented
> by RFC 4559 [1]
>
> Serf supports only Negotiate authentication schemes. Which
> automatically provides you NTLM or Kerberos.
>
> mod_auth_sspi can be configured to use Negotiate protocol using
> "SSPIPackage Negotiate" server side directive. Bert reported that with
> "SSPIPackage Negotiate" is working fine, but neon doesn't.
>
> My position is that serf should use only Negotiate authentication
> scheme if server supports both NTLM and Negotiate authentication
> schemes.

If existing 1.7, 1.6 etc clients do not support this, then your
position is untenable, one might even say ludicrous. That is why I am
asking for more explanation. Surely this cannot be what you are
saying?

We can all agree we have a significant number of existing users using
an automatic authentication method with Windows. I am calling that
mod_auth_sspi. I guess to use your terms, that means NTLM. Are any
of these users using the SSPI negotiate option? If our pre-1.8
clients do not support that option then I would have to say No.

I fail to see how you can justify a veto here.

-- 
Thanks
Mark Phippard
http://markphip.blogspot.com/
Received on 2013-06-20 16:01:14 CEST

This is an archived mail posted to the Subversion Dev mailing list.