The Debian packaging of OpenLDAP has been carrying around the attached patch for many years now, and I'd really like to make it go away. Adding new functions to the exposed ABI of a library is really not kosher.
However, it looks like Evolution really does use this patch for its Exchange addressbook feature, it falls back on doing simple binds with passwords without it, and it is apparently still a recommended patch. I'm attaching the patch as shipped with the evolution-exchange package, although the code that actually uses it is now in evolution-data-server.
What should we do with this? Is what Evolution wants to do just broken? Obsolete in some way? Is there some other API that they could now use? I'm happy to file bugs against the corresponding Debian packages so that we can get rid of this patch, but I don't know what to tell them and don't even entirely understand what they're trying to accomplish.
=== begin quote of patch from evolution-exchange ===
(Note that this patch is not useful on its own... it just adds some hooks to work with the LDAP authentication process at a lower level than the API otherwise allows. The code that calls these hooks and actually drives the NTLM authentication process is in lib/e2k-global-catalog.c, and the code that actually implements the NTLM algorithms is in xntlm/.)
This is a patch against OpenLDAP 2.2.6. Apply with -p0
--- include/ldap.h.orig 2004-01-01 13:16:28.000000000 -0500 +++ include/ldap.h 2004-07-14 11:58:49.000000000 -0400 @@ -1753,5 +1753,26 @@ LDAPControl **cctrls ));
+/* + * hacks for NTLM + */ +#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU) +#define LDAP_AUTH_NTLM_RESPONSE ((ber_tag_t) 0x8bU) +LDAP_F( int ) +ldap_ntlm_bind LDAP_P(( + LDAP *ld, + LDAP_CONST char *dn, + ber_tag_t tag, + struct berval *cred, + LDAPControl **sctrls, + LDAPControl **cctrls, + int *msgidp )); +LDAP_F( int ) +ldap_parse_ntlm_bind_result LDAP_P(( + LDAP *ld, + LDAPMessage *res, + struct berval *challenge)); + + LDAP_END_DECL #endif /* _LDAP_H */ --- libraries/libldap/Makefile.in.orig 2004-01-01 13:16:29.000000000 -0500 +++ libraries/libldap/Makefile.in 2004-07-14 13:37:23.000000000 -0400 @@ -20,7 +20,7 @@ SRCS = bind.c open.c result.c error.c compare.c search.c \ controls.c messages.c references.c extended.c cyrus.c \ modify.c add.c modrdn.c delete.c abandon.c \ - sasl.c sbind.c kbind.c unbind.c cancel.c \ + sasl.c ntlm.c sbind.c kbind.c unbind.c cancel.c \ filter.c free.c sort.c passwd.c whoami.c \ getdn.c getentry.c getattr.c getvalues.c addentry.c \ request.c os-ip.c url.c sortctrl.c vlvctrl.c \ @@ -29,7 +29,7 @@ OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \ controls.lo messages.lo references.lo extended.lo cyrus.lo \ modify.lo add.lo modrdn.lo delete.lo abandon.lo \ - sasl.lo sbind.lo kbind.lo unbind.lo cancel.lo \ + sasl.lo ntlm.lo sbind.lo kbind.lo unbind.lo cancel.lo \ filter.lo free.lo sort.lo passwd.lo whoami.lo \ getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \ request.lo os-ip.lo url.lo sortctrl.lo vlvctrl.lo \ --- /dev/null 2004-06-30 15:04:37.000000000 -0400 +++ libraries/libldap/ntlm.c 2004-07-14 13:44:18.000000000 -0400 @@ -0,0 +1,137 @@ +/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */ +/* + * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. + * COPYING RESTRICTIONS APPLY, see COPYRIGHT file + */ + +/* Mostly copied from sasl.c */ + +#include "portable.h" + +#include <stdlib.h> +#include <stdio.h> + +#include <ac/socket.h> +#include <ac/string.h> +#include <ac/time.h> +#include <ac/errno.h> + +#include "ldap-int.h" + +int +ldap_ntlm_bind( + LDAP *ld, + LDAP_CONST char *dn, + ber_tag_t tag, + struct berval *cred, + LDAPControl **sctrls, + LDAPControl **cctrls, + int *msgidp ) +{ + BerElement *ber; + int rc; + ber_int_t id; + + Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 ); + + assert( ld != NULL ); + assert( LDAP_VALID( ld ) ); + assert( msgidp != NULL ); + + if( msgidp == NULL ) { + ld->ld_errno = LDAP_PARAM_ERROR; + return ld->ld_errno; + } + + /* create a message to send */ + if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) { + ld->ld_errno = LDAP_NO_MEMORY; + return ld->ld_errno; + } + + assert( LBER_VALID( ber ) ); + + LDAP_NEXT_MSGID( ld, id ); + rc = ber_printf( ber, "{it{istON}" /*}*/, + id, LDAP_REQ_BIND, + ld->ld_version, dn, tag, + cred ); + + /* Put Server Controls */ + if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) { + ber_free( ber, 1 ); + return ld->ld_errno; + } + + if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) { + ld->ld_errno = LDAP_ENCODING_ERROR; + ber_free( ber, 1 ); + return ld->ld_errno; + } + + /* send the message */ + *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id ); + + if(*msgidp < 0) + return ld->ld_errno; + + return LDAP_SUCCESS; +} + +int +ldap_parse_ntlm_bind_result( + LDAP *ld, + LDAPMessage *res, + struct berval *challenge) +{ + ber_int_t errcode; + ber_tag_t tag; + BerElement *ber; + ber_len_t len; + + Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 ); + + assert( ld != NULL ); + assert( LDAP_VALID( ld ) ); + assert( res != NULL ); + + if ( ld == NULL || res == NULL ) { + return LDAP_PARAM_ERROR; + } + + if( res->lm_msgtype != LDAP_RES_BIND ) { + ld->ld_errno = LDAP_PARAM_ERROR; + return ld->ld_errno; + } + + if ( ld->ld_error ) { + LDAP_FREE( ld->ld_error ); + ld->ld_error = NULL; + } + if ( ld->ld_matched ) { + LDAP_FREE( ld->ld_matched ); + ld->ld_matched = NULL; + } + + /* parse results */ + + ber = ber_dup( res->lm_ber ); + + if( ber == NULL ) { + ld->ld_errno = LDAP_NO_MEMORY; + return ld->ld_errno; + } + + tag = ber_scanf( ber, "{ioa" /*}*/, + &errcode, challenge, &ld->ld_error ); + ber_free( ber, 0 ); + + if( tag == LBER_ERROR ) { + ld->ld_errno = LDAP_DECODING_ERROR; + return ld->ld_errno; + } + + ld->ld_errno = errcode; + + return( ld->ld_errno ); +}