The Debian packaging of OpenLDAP has been carrying around the attached patch for many years now, and I'd really like to make it go away. Adding new functions to the exposed ABI of a library is really not kosher.
However, it looks like Evolution really does use this patch for its Exchange addressbook feature, it falls back on doing simple binds with passwords without it, and it is apparently still a recommended patch. I'm attaching the patch as shipped with the evolution-exchange package, although the code that actually uses it is now in evolution-data-server.
What should we do with this? Is what Evolution wants to do just broken? Obsolete in some way? Is there some other API that they could now use? I'm happy to file bugs against the corresponding Debian packages so that we can get rid of this patch, but I don't know what to tell them and don't even entirely understand what they're trying to accomplish.
=== begin quote of patch from evolution-exchange ===
(Note that this patch is not useful on its own... it just adds some hooks to work with the LDAP authentication process at a lower level than the API otherwise allows. The code that calls these hooks and actually drives the NTLM authentication process is in lib/e2k-global-catalog.c, and the code that actually implements the NTLM algorithms is in xntlm/.)
This is a patch against OpenLDAP 2.2.6. Apply with -p0
--- include/ldap.h.orig 2004-01-01 13:16:28.000000000 -0500 +++ include/ldap.h 2004-07-14 11:58:49.000000000 -0400 @@ -1753,5 +1753,26 @@ LDAPControl **cctrls ));
+/* + * hacks for NTLM + */ +#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU) +#define LDAP_AUTH_NTLM_RESPONSE ((ber_tag_t) 0x8bU) +LDAP_F( int ) +ldap_ntlm_bind LDAP_P(( + LDAP *ld, + LDAP_CONST char *dn, + ber_tag_t tag, + struct berval *cred, + LDAPControl **sctrls, + LDAPControl **cctrls, + int *msgidp )); +LDAP_F( int ) +ldap_parse_ntlm_bind_result LDAP_P(( + LDAP *ld, + LDAPMessage *res, + struct berval *challenge)); + + LDAP_END_DECL #endif /* _LDAP_H */ --- libraries/libldap/Makefile.in.orig 2004-01-01 13:16:29.000000000 -0500 +++ libraries/libldap/Makefile.in 2004-07-14 13:37:23.000000000 -0400 @@ -20,7 +20,7 @@ SRCS = bind.c open.c result.c error.c compare.c search.c \ controls.c messages.c references.c extended.c cyrus.c \ modify.c add.c modrdn.c delete.c abandon.c \ - sasl.c sbind.c kbind.c unbind.c cancel.c \ + sasl.c ntlm.c sbind.c kbind.c unbind.c cancel.c \ filter.c free.c sort.c passwd.c whoami.c \ getdn.c getentry.c getattr.c getvalues.c addentry.c \ request.c os-ip.c url.c sortctrl.c vlvctrl.c \ @@ -29,7 +29,7 @@ OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \ controls.lo messages.lo references.lo extended.lo cyrus.lo \ modify.lo add.lo modrdn.lo delete.lo abandon.lo \ - sasl.lo sbind.lo kbind.lo unbind.lo cancel.lo \ + sasl.lo ntlm.lo sbind.lo kbind.lo unbind.lo cancel.lo \ filter.lo free.lo sort.lo passwd.lo whoami.lo \ getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \ request.lo os-ip.lo url.lo sortctrl.lo vlvctrl.lo \ --- /dev/null 2004-06-30 15:04:37.000000000 -0400 +++ libraries/libldap/ntlm.c 2004-07-14 13:44:18.000000000 -0400 @@ -0,0 +1,137 @@ +/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */ +/* + * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. + * COPYING RESTRICTIONS APPLY, see COPYRIGHT file + */ + +/* Mostly copied from sasl.c */ + +#include "portable.h" + +#include <stdlib.h> +#include <stdio.h> + +#include <ac/socket.h> +#include <ac/string.h> +#include <ac/time.h> +#include <ac/errno.h> + +#include "ldap-int.h" + +int +ldap_ntlm_bind( + LDAP *ld, + LDAP_CONST char *dn, + ber_tag_t tag, + struct berval *cred, + LDAPControl **sctrls, + LDAPControl **cctrls, + int *msgidp ) +{ + BerElement *ber; + int rc; + ber_int_t id; + + Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 ); + + assert( ld != NULL ); + assert( LDAP_VALID( ld ) ); + assert( msgidp != NULL ); + + if( msgidp == NULL ) { + ld->ld_errno = LDAP_PARAM_ERROR; + return ld->ld_errno; + } + + /* create a message to send */ + if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) { + ld->ld_errno = LDAP_NO_MEMORY; + return ld->ld_errno; + } + + assert( LBER_VALID( ber ) ); + + LDAP_NEXT_MSGID( ld, id ); + rc = ber_printf( ber, "{it{istON}" /*}*/, + id, LDAP_REQ_BIND, + ld->ld_version, dn, tag, + cred ); + + /* Put Server Controls */ + if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) { + ber_free( ber, 1 ); + return ld->ld_errno; + } + + if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) { + ld->ld_errno = LDAP_ENCODING_ERROR; + ber_free( ber, 1 ); + return ld->ld_errno; + } + + /* send the message */ + *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id ); + + if(*msgidp < 0) + return ld->ld_errno; + + return LDAP_SUCCESS; +} + +int +ldap_parse_ntlm_bind_result( + LDAP *ld, + LDAPMessage *res, + struct berval *challenge) +{ + ber_int_t errcode; + ber_tag_t tag; + BerElement *ber; + ber_len_t len; + + Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 ); + + assert( ld != NULL ); + assert( LDAP_VALID( ld ) ); + assert( res != NULL ); + + if ( ld == NULL || res == NULL ) { + return LDAP_PARAM_ERROR; + } + + if( res->lm_msgtype != LDAP_RES_BIND ) { + ld->ld_errno = LDAP_PARAM_ERROR; + return ld->ld_errno; + } + + if ( ld->ld_error ) { + LDAP_FREE( ld->ld_error ); + ld->ld_error = NULL; + } + if ( ld->ld_matched ) { + LDAP_FREE( ld->ld_matched ); + ld->ld_matched = NULL; + } + + /* parse results */ + + ber = ber_dup( res->lm_ber ); + + if( ber == NULL ) { + ld->ld_errno = LDAP_NO_MEMORY; + return ld->ld_errno; + } + + tag = ber_scanf( ber, "{ioa" /*}*/, + &errcode, challenge, &ld->ld_error ); + ber_free( ber, 0 ); + + if( tag == LBER_ERROR ) { + ld->ld_errno = LDAP_DECODING_ERROR; + return ld->ld_errno; + } + + ld->ld_errno = errcode; + + return( ld->ld_errno ); +}
Russ Allbery wrote:
The Debian packaging of OpenLDAP has been carrying around the attached patch for many years now, and I'd really like to make it go away. Adding new functions to the exposed ABI of a library is really not kosher.
However, it looks like Evolution really does use this patch for its Exchange addressbook feature, it falls back on doing simple binds with passwords without it, and it is apparently still a recommended patch. I'm attaching the patch as shipped with the evolution-exchange package, although the code that actually uses it is now in evolution-data-server.
What should we do with this? Is what Evolution wants to do just broken? Obsolete in some way? Is there some other API that they could now use? I'm happy to file bugs against the corresponding Debian packages so that we can get rid of this patch, but I don't know what to tell them and don't even entirely understand what they're trying to accomplish.
If they actually wanted OpenLDAP to include these functions, the author of the patch should have contributed it to the ITS.
But without a published spec, I don't see any reason for us to adopt this patch. Where is the spec that documents this feature?
Howard Chu hyc@symas.com writes:
If they actually wanted OpenLDAP to include these functions, the author of the patch should have contributed it to the ITS.
Instead, they apparently built their own OpenLDAP RPMs with the patch, at least for a while. (Google for evo-openldap.) It looks like they're no longer doing this and Fedora is just linking with the regular OpenLDAP RPMs and disabling this functionality. Most of the mailing list traffic I can find about it is from 2004.
I don't really get what happened here. The thread at:
http://osdir.com/ml/gnome.evolution.devel/2004-05/msg00123.html
seems to be the most relevant, and there's discussion about getting NTLM support into OpenLDAP, but then nothing apparently happened?
The changelog entry for evolution-data-server saying that they were switching back to the regular OpenLDAP libraries references:
https://bugzilla.redhat.com/show_bug.cgi?id=167238
but there's not much in the way of useful information there.
The Fedora source RPM has this fascinating tidbit:
| These files are here specifically for use in building the | evolution-connector package, and should not be used for any other | purpose. | | In order to authenticate to older servers, an LDAP client must perform | an ntlm_bind operation instead of a simple or SASL bind. The ntlm_bind | is not the same thing as performing SASL authentication using NTLM as | the mechanism, which wouldn't require any patching. Newer servers | properly support DIGEST-MD5, so this requirement only applies to clients | which want to authenticate to older servers, and this requirement will | hopefully go away at some point. | | Because the changes involved both modify the libldap ABI and add | non-standardized messages to the protocol, changed libraries are built | statically and stashed in a directory where they will not be found by a | compiler using the default search paths. | | The openldap-devel package provides "openldap-evolution-devel" if it | includes a patched version of these libraries in such a directory. | Packages which depend on these libraries should BuildRequire this | virtual provision so that they don't fail to compile or get miscompiled | if the libraries are not present. | | If/when the evolution-connector package stops requiring these changes, | the changed libraries will simply disappear.
It's really remarkable how much work people seem to be going to in this area without coordinating with you at all.
But without a published spec, I don't see any reason for us to adopt this patch. Where is the spec that documents this feature?
I doubt there is any, given the quality of the discussion around it.
Looking at it, it looks like NTLM is a multi-step authentication protocol similar to many of the SASL mechanisms, and this API essentially sets up a callback out of the OpenLDAP library to handle each step of the NTLM authentication. There is separate NTLM authentication code in evolution-data-server that does the actual NTLM processing and feeds the results back into the function added by this patch.
I'm guessing that adding another non-SASL authentication mechanism to OpenLDAP, even should someone contribute back all of the NTLM code, isn't looking horribly attractive. I'm going to file a bug against the Debian evolution-data-server package and ask them if they think they still need this support. The path of least resistance looks to me to be dropping this patch and the corresponding NTLM support from e-d-s and only supporting servers that can do SASL or simple binds.
Russ Allbery wrote:
Howard Chu hyc@symas.com writes:
If they actually wanted OpenLDAP to include these functions, the author of the patch should have contributed it to the ITS.
Instead, they apparently built their own OpenLDAP RPMs with the patch, at least for a while. (Google for evo-openldap.) It looks like they're no longer doing this and Fedora is just linking with the regular OpenLDAP RPMs and disabling this functionality. Most of the mailing list traffic I can find about it is from 2004.
I don't really get what happened here. The thread at:
http://osdir.com/ml/gnome.evolution.devel/2004-05/msg00123.html
seems to be the most relevant, and there's discussion about getting NTLM support into OpenLDAP, but then nothing apparently happened?
There's no NTLM submission anywhere in ITS, at least. I guess with the mention of SASL/NTLM support the conversation died.
The changelog entry for evolution-data-server saying that they were switching back to the regular OpenLDAP libraries references:
https://bugzilla.redhat.com/show_bug.cgi?id=167238but there's not much in the way of useful information there.
The Fedora source RPM has this fascinating tidbit:
| These files are here specifically for use in building the | evolution-connector package, and should not be used for any other | purpose.
It's really remarkable how much work people seem to be going to in this area without coordinating with you at all.
Never ceases to amaze me...
But without a published spec, I don't see any reason for us to adopt this patch. Where is the spec that documents this feature?
I doubt there is any, given the quality of the discussion around it.
Looking at it, it looks like NTLM is a multi-step authentication protocol similar to many of the SASL mechanisms, and this API essentially sets up a callback out of the OpenLDAP library to handle each step of the NTLM authentication. There is separate NTLM authentication code in evolution-data-server that does the actual NTLM processing and feeds the results back into the function added by this patch.
I'm guessing that adding another non-SASL authentication mechanism to OpenLDAP, even should someone contribute back all of the NTLM code, isn't looking horribly attractive. I'm going to file a bug against the Debian evolution-data-server package and ask them if they think they still need this support. The path of least resistance looks to me to be dropping this patch and the corresponding NTLM support from e-d-s and only supporting servers that can do SASL or simple binds.
Yes, since it's described as only being needed to bind to older servers, it seems pretty pointless.
On Fri, 2007-12-21 at 13:06 -0800, Russ Allbery wrote:
The Debian packaging of OpenLDAP has been carrying around the attached patch for many years now, and I'd really like to make it go away. Adding new functions to the exposed ABI of a library is really not kosher.
However, it looks like Evolution really does use this patch for its Exchange addressbook feature, it falls back on doing simple binds with passwords without it, and it is apparently still a recommended patch. I'm attaching the patch as shipped with the evolution-exchange package, although the code that actually uses it is now in evolution-data-server.
What should we do with this? Is what Evolution wants to do just broken? Obsolete in some way? Is there some other API that they could now use? I'm happy to file bugs against the corresponding Debian packages so that we can get rid of this patch, but I don't know what to tell them and don't even entirely understand what they're trying to accomplish.
Given that Samba3 has done this with native OpenLDAP for ages, I really never understood what they were trying to do. I checked out the code once, in the hope of giving them a patch to fix it up, but never got there.
I think I never quite got over them using their own hand-spun NTLM...
Andrew Bartlett
-
Andrew Bartlett -
Howard Chu -
Russ Allbery