Home_greyopenFATE - openSUSE feature tracking > #305546
Dashboard | Search | Sign up | Login

Please login or register to be able to edit or vote this feature.

Support for NTLM authentication (proxy) in YaST and libzypp

Feature state

Package Wishlist
Done
openSUSE-11.2
Rejected Information
openSUSE-11.3
Rejected Information

Description

YaST and libzypp should work in an environment with proxy server requiring NTLM authentication. The feature consists of two parts:

  1. YaST proxy module has to provide UI to let user choose NTLM and write configuration file (/root/.curlrc) accordingly
  2. libzypp media backend needs to be adapted to read and understand such configuration( that is, accept also --proxy-ntlm option instead of bare --proxy only)

User benefit:

Significant for adoption in mixed datacenters where the proxy infrastruture is on MSFT assets.

Relations

References

https://bugzilla.novell.com/show_bug.cgi?id=440296
https://bugzilla.novell.com/show_bug.cgi?id=412137

Discussion


icons/user_comment.png F. L. wrote: (9 years ago)

Sadly, there is a realistic business case for this in mixed datacenters. Some odd people like to use NTLM proxies, I will never understand why.

this will be a headache to do :-/

icons/user_comment.png M. M. wrote: (8 years ago)

Many of the engineers at Dell Computer in Austin want to use openSUSE 11.2 on their desktop machines. Dell uses a NTLM proxy on their corporate network so a lack of this functionality is keeping them from doing so.

This group of engineers are very loyal SUSE/Novell folks who are trying very hard to help a SUSE desktop make inroads into Dell's corporate environment.

Current number of engineers who cannot use the product is 50 - 60

On a side note, they see this a glaring problem. I don't know how many corporations use NTLM proxies but the gents at Dell seem to think it is quite a lot.

icons/user_comment.png K. M. wrote: (8 years ago)

I was wondering whether aria2c can handle NTLM auth. curl certainly does, but it's not our default downloader anymore. I googled a bit and found
this table and it doesn't look too positive :(

icons/user_comment.png D. M. wrote: (8 years ago)

Because we are now using aria2 (however ZYpp stll can fall back to curl) I asked aria2 author if he planned something in the direction.

He does not, however he will look into the protocol. The problem, appart of the time, is that he does not have a server to test.

He pointed me to http://ntlmaps.sourceforge.net/ which allows to authenticate against a NTLM server acting as a normal proxy server. I have never tested this, but I wonder if companies really need support for this protocol in the tooling.

icons/user_comment.png M. C. wrote: (8 years ago)

I would say yes. I see sometimes logs from the registration where is a proxy is in use with NTLM authentication. I think this is some kind of Windows Server which is doing the authentication and automatically support NTLM. If possible, we should have a way to support this.

icons/user_comment.png M. A. wrote: (7 years ago)

Might be worth mentioning that post 11.3 we're about to drop aria2 again. We now have a builtin solution suporting metalink and zync, base on libcurl.

icons/user_comment.png C. B. wrote: (7 years ago)

also Telecom Italia (http://www.telecomitalia.it ) asked us about this feature support since their SLES / SMT should pass through MSFT ISA proxies with authentication in order to reach our nu.novell.com.

but SLES 11 SP1 does not support it.

icons/user_comment.png A. C. wrote: (6 years ago)

NTLM authentication should be an option in YAST to work seamlessly across all services.

icons/user_comment.png D. M. wrote: (6 years ago)

Has anyone really tried this?
I can see in ZYpp code
> grep CURLOPT_PROXYAUTH *
MediaCurl.cc: SET_OPTION(CURLOPT_PROXYAUTH, CURLAUTH_BASIC|CURLAUTH_DIGEST|CURLAUTH_NTLM );

Which means NTLM is enabled.

icons/user_comment.png D. M. wrote: (6 years ago)

Oh, I just realized this commit is only a few days old. This should enable NTLM support, but it needs to be tested. It will be in next openSUSE, SLE service pack or major version. If we need a backport we can do it, but it needs to be tested.

commit 3524f4d265a9c697fb201977f60cc7eba3570250 
Author: Michael Andres <ma@suse.de>
Date: Thu Oct 20 15:57:02 2011 +0200
Set CURLOPT_PROXYAUTH
diff --git a/zypp/media/MediaCurl.cc b/zypp/media/MediaCurl.cc
index cb27760..901ac45 100644
--- a/zypp/media/MediaCurl.cc
+++ b/zypp/media/MediaCurl.cc
@@ -620,6 +620,7 @@ void MediaCurl::setupEasy()
if ( ! _settings.proxy().empty() )
{
SET_OPTION(CURLOPT_PROXY, _settings.proxy().c_str());
+ SET_OPTION(CURLOPT_PROXYAUTH, CURLAUTH_BASIC|CURLAUTH_DIGEST|
CURLAUTH_NTLM );
/*---------------------------------------------------------------*
CURLOPT_PROXYUSERPWD: [user name]:[password]

icons/user_comment.png M. C. wrote: (6 years ago)

I had this enabled for SMT and a customer was able to authenticate to a proxy.So I went to zypp team and they have enabled this too.
I think it is part of 12.1 and Factory, but not on older versions.

icons/user_comment.png M. A. wrote: (5 years ago)

It's available since 12.1 and in
SLES11-SP1 since libzypp-6.37.7
SLES11-SP2 since libzypp-9.11.9

icons/user_comment.png Y. K. wrote: (6 years ago)

NTLM is very important feature for me, because I have to use proxy with NTLMv2 authentication.
I hope, I'll get it in next release, and also I recommend to use a cntlm package.

Last change: 4 years ago
Voting
Score: 6
  • Negative: 0
  • Neutral: 1
  • Positive: 6
Feature Export
Application-xmlXML   Text-x-logPlaintext   PrinterPrint