#define private public - Claus Brod on stuff (06 Mar 2009)

topic end
<!--
   * Set TOPICTITLE = #define private public - Claus Brod on stuff (06 Mar 2009)
-->

<style type="text/css">
pre {background-color:#ffeecc;}
</style>

%STARTINCLUDE%
<a name="06"></a>

---+++ [[DefinePrivatePublic20090306ModNtlm][<tt>mod_ntlm</tt> versus long user names]] (06 Mar 2009)

<summary>
At work, I administer an internal TWiki site. The web server runs on a Linux box and connects
to the Windows domain servers to provide authentication, using <a href="http://modntlm.sourceforge.net/">mod_ntlm</a>.
Recently, a new user registered, but could never log in.
</summary>

In Apache's server logfiles, I found entries like the following:

<pre>
[Mon Mar 02 11:37:37 2009] [error] [client 42.42.42.42] 144404120 17144 
/twiki/bin/viewauth/Some/Topic - ntlm_decode_msg failed:
   type: 3, host: "SOMEHOST", user: "", domain: "SOMEDOMAIN", error: 16
</pre>

The server system runs <nop>CentOS 5 and Apache 2.2. Note how the log message claims
that no user name was provided, even though the user did of course enter their name
when the browser prompted for it.

The other noteworthy observation in this case was that the user name was unusually
long - 17 characters, not including the domain name. However, the NTLM specs I 
looked up didn't suggest any name length restrictions. Then
I looked up the <tt>mod_ntlm</tt> code - and found the following in the file =ntlmssp.inc.c=:

<pre>
#define MAX_HOSTLEN 32
#define MAX_DOMLEN 32
#define MAX_USERLEN 32
</pre>

Hmmm... so indeed there was a hard limit for the user name length! But then,
the user's name had 17 characters, i.e. much less than 32, so shouldn't this still
work?

The solution is that at least in our case, user names are transmitted in UTF-16 
encoding, which means that every character is (at least) two bytes!

The lazy kind of coder that I am, I simply doubled all hardcoded limits, recompiled, 
and my authentication woes were over! Well, almost: Before 
reinstalling <tt>mod_ntlm</tt>, I also had to tweak its Makefile slightly as follows:

<pre>
*** Makefile    2009/03/02 18:02:20     1.1
--- Makefile    2009/03/04 15:55:57
***************
*** 17,23 ****

  #   install the shared object file into Apache
  install: all
!       $(APXS) -i -a -n 'ntlm' mod_ntlm.so

  #   cleanup
  clean:
--- 17,23 ----

  #   install the shared object file into Apache
  install: all
!       $(APXS) -i -a -n 'ntlm' mod_ntlm.la
  #   cleanup
  clean:
</pre>

Hope this is useful to someone out there! And while we're at it, here are some links
to related articles:
   * http://blog.rot13.org/2005/11/mod_ntlm_and_keepalive.html
   * http://twiki.org/cgi-bin/view/Plugins/TinyMCEPluginDev

---

%STOPINCLUDE%

%COMMENT{type="below" nonotify="on"}%

---
to top
End of topic
Skip to action links | Back to top
You are here: Blog > DefinePrivatePublic20090306ModNtlm

r1.4 - 20 Mar 2009 - 13:42 - ClausBrod to top
Blog