From: Thomas K. (squirrelmail) <squ...@ka...> - 2005-09-29 19:55:00
|
Hello Developers I just implemented imap_ntlm, to use SM with a exchange server which only supports ntlm authentication. You are intrested in this patch? I did it in SM 1.4.3a. I used some code from Manuel Lemos, and he has a BSD like license: ?php /* Copyright (c) 2001-2005, Manuel Lemos All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the Manuel Lemos nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ My implementation is still a hack. I have to have a "MS Domain name" and a "MS workstation name" which I just hardcoded at the moment. I think this has to go to the config or to the login page? Anyway, I can do a patch to the latest development version, if you want it. Regards, Thomas -- http://www.kaiser-linux.li |
From: Jonathan A. <jo...@sq...> - 2005-09-29 20:28:44
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Thomas Kaiser (squirrelmail), On Thursday, September 29, 2005, you wrote: > Hello Developers > I just implemented imap_ntlm, to use SM with a exchange server which > only supports ntlm authentication. > You are intrested in this patch? Of course :) - -- Jonathan Angliss <jo...@sq...> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFDPE5zK4PoFPj9H3MRAu3JAJ42yKbBM2mFrgH8MWOFCv6tSODHhQCguPTd e6oJWiJHmN1BVg0obT4MjEs= =QC8i -----END PGP SIGNATURE----- |
From: Paul L. <pa...@sq...> - 2005-09-29 21:28:19
|
Thomas Kaiser (squirrelmail) wrote: > Hello Developers > > I just implemented imap_ntlm, to use SM with a exchange server which > only supports ntlm authentication. > > > My implementation is still a hack. I have to have a "MS Domain name" and > a "MS workstation name" which I just hardcoded at the moment. I think > this has to go to the config or to the login page? If it is a per-user setting, it'd usually go in personal information under options. If you can't even log in w/out that info, there has to be a way for SM to look up that information for the user logging in if the server won't do it as part of its auth scheme (it doesn't??). You can implement a plugin to do this so that lookups can come from where you need. Or you can use the vlogin (or multilogin) plugin which will already allow you to set any number of per-user configuration variables. -paul |
From: Thomas K. (squirrelmail) <squ...@ka...> - 2005-10-02 20:44:35
|
Paul Lesneiwski wrote: > If it is a per-user setting, it'd usually go in personal information > under options. If you can't even log in w/out that info, there has to > be a way for SM to look up that information for the user logging in if > the server won't do it as part of its auth scheme (it doesn't??). I just reread your mail. In the MS world user and domain are glued together. You need to supply the domin you are registered to get authenticated. So, I think this has to be in the login screen. Just a new input box (if ntlm is enabled) where the user can type in his domain? On the other hand, usually, there are not so many "multy domain" exchange servers (multy domain company networks). So, It could go to the config if all users are in the same domain? Regards, Thomas -- http://www.kaiser-linux.li |
From: Jonathan A. <jo...@sq...> - 2005-10-03 05:41:59
|
On Fri, September 30, 2005 14:04, Thomas Kaiser (squirrelmail) wrote: > Paul Lesneiwski wrote: > >> If it is a per-user setting, it'd usually go in personal information >> under options. If you can't even log in w/out that info, there has to= be >> a way for SM to look up that information for the user logging in if th= e >> server won't do it as part of its auth scheme (it doesn't??). > I just reread your mail. > In the MS world user and domain are glued together. You need to supply > the domin you are registered to get authenticated. So, I think this has= to > be in the login screen. Just a new input box (if ntlm is enabled) where > the user can type in his domain? Maybe I'm missing something... My exchange server offers IMAP login (I know because I set it up), and says NTLM as the auth... but I can login using: domain/username That works just dandy without any need to hack any sources, or make any code changes. Did I miss something somewhere? --=20 Jonathan Angliss <jo...@sq...> |
From: Thomas K. (squirrelmail) <squ...@ka...> - 2005-10-03 06:44:39
|
Jonathan Angliss wrote: >>Paul Lesneiwski wrote: > Maybe I'm missing something... My exchange server offers IMAP login (I > know because I set it up), and says NTLM as the auth... but I can login > using: > > domain/username > > That works just dandy without any need to hack any sources, or make any > code changes. Did I miss something somewhere? Good info. Yes, it works. But I could not find this information 2 weeks ago, so I decided to add NTLM auth to SM. But why does exchange not offer this when you send CAPABILITY? Regards, Thomas -- http://www.kaiser-linux.li |
From: Jonathan A. <jo...@sq...> - 2005-10-04 04:52:41
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Thomas Kaiser (squirrelmail), On Monday, October 03, 2005, you wrote: >> Maybe I'm missing something... My exchange server offers IMAP login >> (I know because I set it up), and says NTLM as the auth... but I >> can login using: >> domain/username >> That works just dandy without any need to hack any sources, or make >> any code changes. Did I miss something somewhere? > Good info. Yes, it works. But I could not find this information 2 weeks > ago, so I decided to add NTLM auth to SM. You should have tried posting to the users' list. I'm sure there are a handful of people using SquirrelMail against an exchange server. > But why does exchange not offer this when you send CAPABILITY? Not sure what you mean by offering this. It's just a username. The format is dictated by the underlying authentication system. They don't tell you about it in the capability response in any auth system. Maybe I'm simply miss-understanding what you mean. As for using the username format above, without requiring the end users to remember adding "domain/" to their user names, you could easily do that with a plugin. Take a look at the login_auto plugin, it gives you a hint as to a couple of hooks to use for just this kind of project, you can modify the username in the second set of hooks and SM will just use those instead. - -- Jonathan Angliss <jo...@sq...> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFDQgqIK4PoFPj9H3MRAs9EAJ4rp67XQN4/SbFmgViQaCh0EsBiiQCg1JZ2 hDYBFyjS4PFgXhrYXhP6XHw= =j0bD -----END PGP SIGNATURE----- |
From: Thomas K. (squirrelmail) <squ...@ka...> - 2005-10-04 06:09:02
|
Hello Jonathan Jonathan Angliss wrote: > You should have tried posting to the users' list. I'm sure there are a > handful of people using SquirrelMail against an exchange server. I did, but there was no response at all. > Not sure what you mean by offering this. It's just a username. The > format is dictated by the underlying authentication system. They > don't tell you about it in the capability response in any auth > system. Maybe I'm simply miss-understanding what you mean. I thought if one send the CAPABILITY command, the server will tell you which authentication will be supported. If I send CAPABILITY to the exchange server, I got only "auth=ntlm" back. If it also supports plain text login, shouldn't it be something like "auth=ntlm,login"? > As for using the username format above, without requiring the end > users to remember adding "domain/" to their user names, you could > easily do that with a plugin. Take a look at the login_auto plugin, > it gives you a hint as to a couple of hooks to use for just this > kind of project, you can modify the username in the second set of > hooks and SM will just use those instead. I am happy so far with my solution. It works for me. And anyway, it was a good exercise :-). I may look at the plugin solution sometimes in the future. For the time being, I run it with the ntlm authentication scheme. Thanks, Thomas -- http://www.kaiser-linux.li |
From: Chris H. <ta...@sq...> - 2005-10-04 12:01:53
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I thought if one send the CAPABILITY command, the server will tell you > which authentication will be supported. If I send CAPABILITY to the > exchange server, I got only "auth=ntlm" back. If it also supports plain > text login, shouldn't it be something like "auth=ntlm,login"? LOGIN is part of the IMAP4rev1 spec. The auth= part of the CAPABILITY response is for extensions, such as NTLM, CRAM-MD5, etc. The LOGIN is assumed, since it's IMAP. (Unless, of course, it has NOLOGIN in the response) - -- Chris Hilts ta...@sq... Say it with flowers -- Send them a triffid! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFDQm8r98ixrK2vMtARAu45AKCKTG0rNyN63ydFPy1x7XUP7Rf8YACfTdUo oYVR5ZtKM30yaxRSSRWyhhk= =LC3u -----END PGP SIGNATURE----- |
From: Paul L. <pa...@sq...> - 2005-10-04 11:11:26
|
Jonathan Angliss wrote: > Hello Thomas Kaiser (squirrelmail), > On Monday, October 03, 2005, you wrote: > > >>>>Maybe I'm missing something... My exchange server offers IMAP login >>>>(I know because I set it up), and says NTLM as the auth... but I >>>>can login using: > > >>>> domain/username > > >>>>That works just dandy without any need to hack any sources, or make >>>>any code changes. Did I miss something somewhere? > > >>>Good info. Yes, it works. But I could not find this information 2 weeks >>>ago, so I decided to add NTLM auth to SM. > > > You should have tried posting to the users' list. I'm sure there are a > handful of people using SquirrelMail against an exchange server. > > >>>But why does exchange not offer this when you send CAPABILITY? > > > Not sure what you mean by offering this. It's just a username. The > format is dictated by the underlying authentication system. They > don't tell you about it in the capability response in any auth > system. Maybe I'm simply miss-understanding what you mean. > > As for using the username format above, without requiring the end > users to remember adding "domain/" to their user names, you could > easily do that with a plugin. Take a look at the login_auto plugin, > it gives you a hint as to a couple of hooks to use for just this > kind of project, you can modify the username in the second set of > hooks and SM will just use those instead. Why login_auto? Seems like this can be done out of the box with vlogin, although I admit to ignorant bliss about Exchange-related syntax. -paul |
From: Thomas K. (squirrelmail) <squ...@ka...> - 2005-09-29 21:54:48
|
Thomas Kaiser (squirrelmail) wrote: > Hello Developers > I do response to my own thread ;-), because I don't know who i am have to answer. How do I have to deploy my patch? Which version of SM? What we are doing with the "hardcoded stuff"? -- http://www.kaiser-linux.li |
From: Thijs K. <ki...@sq...> - 2005-09-30 07:57:53
|
On Thu, September 29, 2005 21:53, Thomas Kaiser (squirrelmail) wrote: > I used some code from Manuel Lemos, and he has a BSD like license: This is the modified BSD licence (without the advertising clause), which is fully compatible with the GPL, so that's no problem for us. We need to take care to mention this licence in the documentation for the ntlm code somewhere. regards, Thijs |
From: Thomas K. (squirrelmail) <squ...@ka...> - 2005-10-02 17:57:52
Attachments:
SM_ntlm_imap_20050930.tar.gz
|
Hello Developers I did attach my changes to this mail. You will find 2 files in the archive. imap_ntlm.php has to go in the subfolder "functions". In the imap_general.php my changes starting at line 513 and ending at line 550. In line 532, you see the hardcoded stuff ("DOMAIN","WORKSTATION"). The "DOMAIN" is the NT Domain where the user is registered. This maight have to go to the login page? The "WORKSTATION" is the computer name, so I think this should just work like it is now. Have fun, Thomas -- http://www.kaiser-linux.li |
From: Paul L. <pa...@sq...> - 2005-10-02 18:05:49
|
Thomas Kaiser (squirrelmail) wrote: > Hello Developers > > I did attach my changes to this mail. > > You will find 2 files in the archive. imap_ntlm.php has to go in the > subfolder "functions". In the imap_general.php my changes starting at > line 513 and ending at line 550. > > In line 532, you see the hardcoded stuff ("DOMAIN","WORKSTATION"). The > "DOMAIN" is the NT Domain where the user is registered. This maight have > to go to the login page? Please see my response on this thread about that issue instead of asking the same question. > The "WORKSTATION" is the computer name, so I > think this should just work like it is now. Why would that be? If the workstation name can be different for every user, why would hard coding it in this file make any sense at all? Where is the miscommunication here? |
From: Thomas K. (squirrelmail) <squ...@ka...> - 2005-10-02 18:26:35
|
Paul Lesneiwski wrote: > Why would that be? If the workstation name can be different for every > user, why would hard coding it in this file make any sense at all? > Where is the miscommunication here? All users can have the same workstation name. Regards, Thomas -- http://www.kaiser-linux.li |