Hi list,
I've patched the ntlm plugin, to support also Outlook 2007, which uses a
slightly different approach to authenticate. All Outlook versions prior
to 2007 using a two-stage method: first they try to authenticate with
the username and windows domain instead of the maildomain (which of
course doesn't work, unless we have in our sasdb user@NTDOMAIN). Outlook
2007 changed this method to username@xxxxxxxxxxxxxxx I.e. the NTLM auth
is sent with username and client domain, where client domain is finally
correctly our email domain!
But this needs a change in the sasl ntlm plugin, otherwise you never get
the client domain into your checks, but only username@mailserver:
(apply this patch with the patch utility)
---------- CUT HERE ------------ CUT HERE ------------ CUT HERE
------------------
diff -urNp cyrus-sasl-2.1.22/plugins/ntlm.c
cyrus-sasl-2.1.22-patch/plugins/ntlm.c
--- cyrus-sasl-2.1.22/plugins/ntlm.c 2005-07-07 18:10:14.000000000 +0200
+++ cyrus-sasl-2.1.22-patch/plugins/ntlm.c 2008-05-04
14:56:54.000000000 +0200
@@ -1525,14 +1525,46 @@ static int ntlm_server_mech_step2(server
struct propval auxprop_values[2];
unsigned char hash[NTLM_HASH_LENGTH];
unsigned char resp[NTLM_RESP_LENGTH];
+
+ unsigned char *combined_username = NULL;
/* fetch user's password */
result = sparams->utils->prop_request(sparams->propctx,
password_request);
if (result != SASL_OK) goto cleanup;
- /* this will trigger the getting of the aux properties */
- result = sparams->canon_user(sparams->utils->conn, authid,
authid_len,
+ ///////////////////////////////////////////////////////////////////
+ // patch by office@xxxxxxxxxx
+ // rights: GPL
+ // older pop3, imap, smtp ntlm clients are sending first
+ // client-user: usernamex
+ // client-domain: NTDOMAIN/WORKGROUP
+ // and if thats denied by us, they retry with
+ // client-user: user@xxxxxxxxxxxxxxxxxx
+ // without a client domain
+ // outlook 2007 changed that behaviour to support properly
+ // also other mail servers. They are thus sending already (hurray!)
+ // as the first try: client-user: username
+ // and as client domain: the users emaildomain
+ ///////////////////////////////////////////////////////////////////
+ if (domain) {
+ // to match the outlook 2007 method
+ combined_username = sparams->utils->malloc(authid_len +
domain_len + 1);
+ if (combined_username == NULL) {
+ MEMERROR(sparams->utils);
+ return SASL_NOMEM;
+ }
+ sprintf(combined_username, "%s@%s", authid, domain);
+ result = sparams->canon_user(sparams->utils->conn,
combined_username, strlen(combined_username),
SASL_CU_AUTHID | SASL_CU_AUTHZID,
oparams);
+ sparams->utils->free(combined_username);
+ }
+ else {
+ // use old method (ignore the first try and match the second
+ result = sparams->canon_user(sparams->utils->conn, authid,
authid_len,
+ SASL_CU_AUTHID | SASL_CU_AUTHZID,
oparams);
+ }
+
+ /* this will trigger the getting of the aux properties */
if (result != SASL_OK) goto cleanup;
result = sparams->utils->prop_getnames(sparams->propctx,
---------- CUT HERE ------------ CUT HERE ------------ CUT HERE
------------------
kind regards,
Christoph Christ
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
