Russ Allbery wrote:
Howard Chu hyc@symas.com writes:
If they actually wanted OpenLDAP to include these functions, the author of the patch should have contributed it to the ITS.
Instead, they apparently built their own OpenLDAP RPMs with the patch, at least for a while. (Google for evo-openldap.) It looks like they're no longer doing this and Fedora is just linking with the regular OpenLDAP RPMs and disabling this functionality. Most of the mailing list traffic I can find about it is from 2004.
I don't really get what happened here. The thread at:
http://osdir.com/ml/gnome.evolution.devel/2004-05/msg00123.html
seems to be the most relevant, and there's discussion about getting NTLM support into OpenLDAP, but then nothing apparently happened?
There's no NTLM submission anywhere in ITS, at least. I guess with the mention of SASL/NTLM support the conversation died.
The changelog entry for evolution-data-server saying that they were switching back to the regular OpenLDAP libraries references:
https://bugzilla.redhat.com/show_bug.cgi?id=167238
but there's not much in the way of useful information there.
The Fedora source RPM has this fascinating tidbit:
| These files are here specifically for use in building the | evolution-connector package, and should not be used for any other | purpose.
It's really remarkable how much work people seem to be going to in this area without coordinating with you at all.
Never ceases to amaze me...
But without a published spec, I don't see any reason for us to adopt this patch. Where is the spec that documents this feature?
I doubt there is any, given the quality of the discussion around it.
Looking at it, it looks like NTLM is a multi-step authentication protocol similar to many of the SASL mechanisms, and this API essentially sets up a callback out of the OpenLDAP library to handle each step of the NTLM authentication. There is separate NTLM authentication code in evolution-data-server that does the actual NTLM processing and feeds the results back into the function added by this patch.
I'm guessing that adding another non-SASL authentication mechanism to OpenLDAP, even should someone contribute back all of the NTLM code, isn't looking horribly attractive. I'm going to file a bug against the Debian evolution-data-server package and ask them if they think they still need this support. The path of least resistance looks to me to be dropping this patch and the corresponding NTLM support from e-d-s and only supporting servers that can do SASL or simple binds.
Yes, since it's described as only being needed to bind to older servers, it seems pretty pointless.