[Dovecot] Concerned about Dovecot's new NTLM code
I'm pleased to see another project increasing compatibility with windows clients, by the addition of NTLM login support, but I'm a bit worried about a few implementation details, and hope to offer an alternate approach.
I mean no disrespect to those who have implemented to the code so far, but I feel that the idea of 'everybody re-implement NTLM' is prone to failure.
Firstly, to bugs I've noticed by casual inspection of your implementation:
- Unicode support is by 'null padding' - there is no real support for non-ascii characters.
- NTLM2 (a negotiated scheme to avoid sending the LM response) is unsupported
- NTLMSSP is NDR, not 'C struct pushed to the wire', it needs to be correctly marshaled and unmarshaled.
There are other missing features, some of which are rumoured to become mandatory flags in future, but more importantly, because the implementation is standalone, it has no ability to integrate into an NT/Win2k/Samba domain.
As part of the Samba team, I have worked with other projects - Squid in particular, to deliver server-side (and client-side) NTLMSSP authentication, without the need to re-implement the NTLMSSP protocol.
This is done by a callout to 'ntlm_auth', a Samba 3.0 utility designed for this purpose, which in turn can contact domain controllers, allowing for seamless single sign on.
http://samba.org/samba/docs/man/ntlm_auth.1.html
I have recently completed reworking mod_ntlm_winbind for a similar purpose, and have patches for cyrus-sasl in my 'lorikeet' subversion repository. These should serve as good examples for the simple fork()/exec() modal that is used, and also show the support for GSS-SPNEGO (aka HTTP Negotiate) that ntlm_auth also provides.
http://download.samba.org/ftp/unpacked/lorikeet/trunk/
My hope is that I can tempt a Dovecot developer to take on the challenge of modifying the dovecot to use ntlm_auth, and am most willing to answer any questions (here, by private mail or on the samba-technical list) that you may have on the issue.
Thanks,
Andrew Bartlett
Andrew Bartlett abartlet@samba.org Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net
--On Sunday, September 26, 2004 9:14 AM +1000 Andrew Bartlett abartlet@samba.org wrote:
My hope is that I can tempt a Dovecot developer to take on the challenge of modifying the dovecot to use ntlm_auth, and am most willing to answer any questions (here, by private mail or on the samba-technical list) that you may have on the issue.
Thanks, Andrew. As the saying goes, "Good programmers write code, Great programmers steal it." It also helps to "stand on the shoulders of giants". (Nice article on the origin of that phrase at http://www.aerospaceweb.org/question/history/q0162b.shtml.)
participants (2)
-
Andrew Bartlett
-
Kenneth Porter