On 20.06.2013 16:00, Mark Phippard wrote: > On Thu, Jun 20, 2013 at 9:52 AM, Ivan Zhakov <i...@visualsvn.com> wrote: >> On Thu, Jun 20, 2013 at 5:44 PM, Mark Phippard <markp...@gmail.com> wrote: >>> On Thu, Jun 20, 2013 at 9:40 AM, Ivan Zhakov <i...@visualsvn.com> wrote: >>>> On Thu, Jun 20, 2013 at 5:30 PM, Bert Huijben <b...@qqmail.nl> wrote: >>>> [...] >>>> >>>>> The patch to serf 1.2.1 attached to this mail is a (tiny bit cleaned up) >>>>> hack based on the old code in ra_serf, some code from an old serf branch >>>>> and >>>>> the new in serf auth_kerb code, which re-enables the NTLM authentication >>>>> scheme in serf. >>>>> >>>>> >>>> I'm -1 for such patch: >>>> * It duplicates auth_kerb.c which intended to have the same auth code >>>> on different platforms with plugable platforms specific code >>>> >>>> * serf should not try use NTLM authentication if server supports Negotiate. >>> So you are saying you do not think Serf should support mod_auth_sspi >>> and do not consider this a regression? Could you explain that >>> position with more detail? >> Mark, >> >> You didn't understand me. There are two HTTP authentication schemes >> for automatic authentication: >> * NTLM >> Uses Windows NTLM authentication >> >> * Negotiate (SPNEGO) >> Uses NTLM or Kerberos depending of what is supported by server and client. >> >> NTLM is not documented AFAIK, while Negotiate (SPNEGO) is documented >> by RFC 4559 [1] >> >> Serf supports only Negotiate authentication schemes. Which >> automatically provides you NTLM or Kerberos. >> >> mod_auth_sspi can be configured to use Negotiate protocol using >> "SSPIPackage Negotiate" server side directive. Bert reported that with >> "SSPIPackage Negotiate" is working fine, but neon doesn't. >> >> My position is that serf should use only Negotiate authentication >> scheme if server supports both NTLM and Negotiate authentication >> schemes. > If existing 1.7, 1.6 etc clients do not support this, then your > position is untenable, one might even say ludicrous. That is why I am > asking for more explanation. Surely this cannot be what you are > saying? > > We can all agree we have a significant number of existing users using > an automatic authentication method with Windows. I am calling that > mod_auth_sspi. I guess to use your terms, that means NTLM. Are any > of these users using the SSPI negotiate option? If our pre-1.8 > clients do not support that option then I would have to say No. > > I fail to see how you can justify a veto here.
I have to agree. The veto is fine on aesthetic grounds but kind of fails to take account of reality. -- Brane -- Branko Čibej | Director of Subversion WANdisco // Non-Stop Data e. br...@wandisco.com
