Adding support for NTLM, Kerberos

[John Barstow <Jo...@gfsg.co.nz>]

I added the auth_SSPI module to my Win32 Apache server and promptly began
getting authorization failures from the subversion clients.
A little poking indicated that digest and basic authentication are handled
by the neon library, but not NTLM or Kerberos authentication.  Now, I can
handle coding that support up, but I'm not sure where to set my handlers to
trap the 401 being returned by the server, where to add my negotiation
headers, or how to inspect the server's headers.  I've been trying to work
out the control flow and it seems a bit confusing - probably because I've
been doing C++ instead of C for so long.
If someone can point me the right area, I can start hacking in the new
support.

John C Barstow

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Adding support for NTLM, Kerberos

[Joe Orton <jo...@manyfish.co.uk>]

Hi,

On Fri, Oct 04, 2002 at 09:28:32AM +1200, John Barstow wrote:
> I added the auth_SSPI module to my Win32 Apache server and promptly began
> getting authorization failures from the subversion clients.
> A little poking indicated that digest and basic authentication are handled
> by the neon library, but not NTLM or Kerberos authentication.  Now, I can
> handle coding that support up, but I'm not sure where to set my handlers to
> trap the 401 being returned by the server, where to add my negotiation
> headers, or how to inspect the server's headers.  I've been trying to work
> out the control flow and it seems a bit confusing - probably because I've
> been doing C++ instead of C for so long.
> If someone can point me the right area, I can start hacking in the new
> support.

To add support for new auth protocols you can either modify ne_auth.c,
or add a separate module.  Adding a new module is probably preferable
since it'll be a fair amount of code, I expect.

The ne_auth.c code is slightly obfuscated since to handle both proxy and
server auth abstractly, I believe that the SPNEGO stuff doesn't do proxy
auth, so it can be simpler.  You need at minimum a create_request hook
which registers callbacks to fetch the WWW-Authenticate header, a
pre_send hook which adds an Authorization header when necessary, and a
post_send hook which checks for a 401 status-code and returns NE_RETRY
if the request should be retried.

Please send any neon questions you have to the mailing list at
neon@webdav.org.

Regards,

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Adding support for NTLM, Kerberos

[Karl Fogel <kf...@newton.ch.collab.net>]

John Barstow <Jo...@gfsg.co.nz> writes:
> I added the auth_SSPI module to my Win32 Apache server and promptly began
> getting authorization failures from the subversion clients.
> A little poking indicated that digest and basic authentication are handled
> by the neon library, but not NTLM or Kerberos authentication.  Now, I can
> handle coding that support up, but I'm not sure where to set my handlers to
> trap the 401 being returned by the server, where to add my negotiation
> headers, or how to inspect the server's headers.  I've been trying to work
> out the control flow and it seems a bit confusing - probably because I've
> been doing C++ instead of C for so long.
> If someone can point me the right area, I can start hacking in the new
> support.

Ah, wonderful!  Erm.. Ummm.  Erg...

Is there a Joe Orton in the house? :-)

-K

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org