CHCNET Consulting wrote:
Hi list,
I've patched the ntlm plugin, to support also Outlook 2007, which uses a
slightly different approach to authenticate. All Outlook versions prior
to 2007 using a two-stage method: first they try to authenticate with
the username and windows domain instead of the maildomain (which of
course doesn't work, unless we have in our sasdb user@NTDOMAIN). Outlook
2007 changed this method to username@xxxxxxxxxxxxxxx I.e. the NTLM auth
is sent with username and client domain, where client domain is finally
correctly our email domain!
But this needs a change in the sasl ntlm plugin, otherwise you never get
the client domain into your checks, but only username@mailserver:
Here's my alternate patch which first tries a fully qualified username
(using the supplied domain), and if no password exists for this
username, we fall back to using the unqualified username. Please try
this with your deployment.
--- ntlm.c.~1.32.~ 2008-01-24 10:22:24.000000000 -0500
+++ ntlm.c 2008-05-08 12:17:27.000000000 -0400
@@ -1552,14 +1552,52 @@
result = sparams->utils->prop_request(sparams->propctx,
password_request);
if (result != SASL_OK) goto cleanup;
- /* this will trigger the getting of the aux properties */
- result = sparams->canon_user(sparams->utils->conn, authid, authid_len,
- SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
- if (result != SASL_OK) goto cleanup;
+ if (domain) {
+ /* see if we have a fully qualified username */
+ char *fq_authid = sparams->utils->malloc(authid_len+domain_len+2);
+
+ if (!fq_authid) {
+ MEMERROR(sparams->utils);
+ result = SASL_NOMEM;
+ goto cleanup;
+ }
+
+ sprintf(fq_authid, "%.*s@%.*s",
+ authid_len, authid, domain_len, domain);
+ sparams->utils->log(NULL, SASL_LOG_DEBUG,
+ "canonicalizing: %s", fq_authid);
+
+ /* this will trigger the getting of the aux properties */
+ result = sparams->canon_user(sparams->utils->conn,
+ fq_authid, strlen(fq_authid),
+ SASL_CU_AUTHID | SASL_CU_AUTHZID,
+ oparams);
+ sparams->utils->free(fq_authid);
+ if (result != SASL_OK) goto cleanup;
+
+ result = sparams->utils->prop_getnames(sparams->propctx,
+ password_request,
+ auxprop_values);
+ }
+ if (!domain || result < 0 ||
+ (!auxprop_values[0].name || !auxprop_values[0].values)) {
+ /* We didn't find the fully qualified username,
+ try the unqualified username */
+ sparams->utils->log(NULL, SASL_LOG_DEBUG,
+ "canonicalizing: %s", authid);
+
+ /* this will trigger the getting of the aux properties */
+ result = sparams->canon_user(sparams->utils->conn,
+ authid, authid_len,
+ SASL_CU_AUTHID | SASL_CU_AUTHZID,
+ oparams);
+ if (result != SASL_OK) goto cleanup;
+
+ result = sparams->utils->prop_getnames(sparams->propctx,
+ password_request,
+ auxprop_values);
+ }
- result = sparams->utils->prop_getnames(sparams->propctx,
- password_request,
- auxprop_values);
if (result < 0 ||
(!auxprop_values[0].name || !auxprop_values[0].values)) {
/* We didn't find this username */
--
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University
