[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [serf-dev] [Patch] Adding NTLM Support to Serf - Work in progress / Subversion regression

From: Branko Čibej <brane_at_wandisco.com>
Date: Thu, 20 Jun 2013 16:24:14 +0200

On 20.06.2013 16:00, Mark Phippard wrote:
> On Thu, Jun 20, 2013 at 9:52 AM, Ivan Zhakov <ivan_at_visualsvn.com> wrote:
>> On Thu, Jun 20, 2013 at 5:44 PM, Mark Phippard <markphip_at_gmail.com> wrote:
>>> On Thu, Jun 20, 2013 at 9:40 AM, Ivan Zhakov <ivan_at_visualsvn.com> wrote:
>>>> On Thu, Jun 20, 2013 at 5:30 PM, Bert Huijben <bert_at_qqmail.nl> wrote:
>>>> [...]
>>>>
>>>>> The patch to serf 1.2.1 attached to this mail is a (tiny bit cleaned up)
>>>>> hack based on the old code in ra_serf, some code from an old serf branch and
>>>>> the new in serf auth_kerb code, which re-enables the NTLM authentication
>>>>> scheme in serf.
>>>>>
>>>>>
>>>> I'm -1 for such patch:
>>>> * It duplicates auth_kerb.c which intended to have the same auth code
>>>> on different platforms with plugable platforms specific code
>>>>
>>>> * serf should not try use NTLM authentication if server supports Negotiate.
>>> So you are saying you do not think Serf should support mod_auth_sspi
>>> and do not consider this a regression? Could you explain that
>>> position with more detail?
>> Mark,
>>
>> You didn't understand me. There are two HTTP authentication schemes
>> for automatic authentication:
>> * NTLM
>> Uses Windows NTLM authentication
>>
>> * Negotiate (SPNEGO)
>> Uses NTLM or Kerberos depending of what is supported by server and client.
>>
>> NTLM is not documented AFAIK, while Negotiate (SPNEGO) is documented
>> by RFC 4559 [1]
>>
>> Serf supports only Negotiate authentication schemes. Which
>> automatically provides you NTLM or Kerberos.
>>
>> mod_auth_sspi can be configured to use Negotiate protocol using
>> "SSPIPackage Negotiate" server side directive. Bert reported that with
>> "SSPIPackage Negotiate" is working fine, but neon doesn't.
>>
>> My position is that serf should use only Negotiate authentication
>> scheme if server supports both NTLM and Negotiate authentication
>> schemes.
> If existing 1.7, 1.6 etc clients do not support this, then your
> position is untenable, one might even say ludicrous. That is why I am
> asking for more explanation. Surely this cannot be what you are
> saying?
>
> We can all agree we have a significant number of existing users using
> an automatic authentication method with Windows. I am calling that
> mod_auth_sspi. I guess to use your terms, that means NTLM. Are any
> of these users using the SSPI negotiate option? If our pre-1.8
> clients do not support that option then I would have to say No.
>
> I fail to see how you can justify a veto here.

I have to agree. The veto is fine on aesthetic grounds but kind of fails
to take account of reality.

-- Brane

-- 
Branko Čibej | Director of Subversion
WANdisco // Non-Stop Data
e. brane_at_wandisco.com
Received on 2013-06-20 16:24:57 CEST

This is an archived mail posted to the Subversion Dev mailing list.