Feature changed by: Michael Calmer (mcalmer)
Feature #305546, revision 28
Title: Support for NTLM authentication (proxy) in YaST and libzypp
openSUSE-11.2: Rejected by Christoph Thiel (cthiel1)
reject date: 2009-07-16 18:02:44
reject reason: out of context for openSUSE.
Priority
Requester: Desirable
Projectmanager: Desirable
openSUSE-11.3: Evaluation by product manager
Priority
Requester: Desirable
Package Wishlist: Unconfirmed
Priority
Requester: Important
Info Provider: Federico Lucifredi (flucifredi)
Requested by: Katarina Machalkova (kmachalkova)
Product Manager: Federico Lucifredi (flucifredi)
Partner organization: openSUSE.org
Description:
YaST and libzypp should work in an environment with proxy server
requiring NTLM authentication. The feature consists of two parts:
1) YaST proxy module has to provide UI to let user choose NTLM and
write configuration file (/root/.curlrc) accordingly
2) libzypp media backend needs to be adapted to read and understand
such configuration( that is, accept also --proxy-ntlm option instead of
bare --proxy only)
References:
https://bugzilla.novell.com/show_bug.cgi?id=440296
https://bugzilla.novell.com/show_bug.cgi?id=412137
Relations:
- Cntlm Authentication Proxy (url: http://cntlm.sourceforge.net/)
Business case (Partner benefit):
openSUSE.org: Significant for adoption in mixed datacenters where the
proxy infrastruture is on MSFT assets.
Discussion:
#1: Federico Lucifredi (flucifredi) (2009-01-26 20:57:23)
Sadly, there is a realistic business case for this in mixed
datacenters. Some odd people like to use NTLM proxies, I will never
understand why.
this will be a headache to do :-/
#2: Mark Muhlestein (mmuhlestein) (2010-01-13 18:10:39)
Many of the engineers at Dell Computer in Austin want to use openSUSE
11.2 on their desktop machines. Dell uses a NTLM proxy on their
corporate network so a lack of this functionality is keeping them from
doing so.
This group of engineers are very loyal SUSE/Novell folks who are trying
very hard to help a SUSE desktop make inroads into Dell's corporate
environment.
Current number of engineers who cannot use the product is 50 - 60
On a side note, they see this a glaring problem. I don't know how many
corporations use NTLM proxies but the gents at Dell seem to think it is
quite a lot.
#3: Katarina Machalkova (kmachalkova) (2010-01-14 15:03:36)
I was wondering whether aria2c can handle NTLM auth. curl certainly
does, but it's not our default downloader anymore. I googled a bit and
found this table (http://curl.haxx.se/docs/comparison-table.html) and
it doesn't look too positive :(
#4: Duncan Mac-Vicar (dmacvicar) (2010-01-14 16:51:17)
Because we are now using aria2 (however ZYpp stll can fall back to
curl) I asked aria2 author if he planned something in the direction.
He does not, however he will look into the protocol. The problem,
appart of the time, is that he does not have a server to test.
He pointed me to http://ntlmaps.sourceforge.net/ which allows to
authenticate against a NTLM server acting as a normal proxy server. I
have never tested this, but I wonder if companies really need support
for this protocol in the tooling.
#5: Michael Calmer (mcalmer) (2010-01-14 16:57:35) (reply to #4)
I would say yes. I see sometimes logs from the registration where is a
proxy is in use with NTLM authentication. I think this is some kind of
Windows Server which is doing the authentication and automatically
support NTLM. If possible, we should have a way to support this.
#7: Michael Andres (mlandres) (2010-08-10 15:32:24) (reply to #4)
Might be worth mentioning that post 11.3 we're about to drop aria2
again. We now have a builtin solution suporting metalink and zync, base
on libcurl.
#6: Carlo Baffè (cbaffe) (2010-08-05 14:04:03)
also Telecom Italia (http://www.telecomitalia.it) asked us about this
feature support since their SLES / SMT should pass through MSFT ISA
proxies with authentication in order to reach our nu.novell.com.
but SLES 11 SP1 does not support it.
#9: Andi Chandler (andibing) (2011-12-01 19:58:54)
NTLM authentication should be an option in YAST to work seamlessly
across all services.
#10: Duncan Mac-Vicar (dmacvicar) (2011-12-05 09:27:32) (reply to #9)
Has anyone really tried this? I can see in ZYpp code > grep
CURLOPT_PROXYAUTH * MediaCurl.cc: SET_OPTION(CURLOPT_PROXYAUTH,
CURLAUTH_BASIC|CURLAUTH_DIGEST|CURLAUTH_NTLM );
Which means NTLM is enabled.
+ #12: Michael Calmer (mcalmer) (2011-12-05 10:04:30) (reply to #10)
+ I had this enabled for SMT and a customer was able to authenticate to a
+ proxy.So I went to zypp team and they have enabled this too. I think it
+ is part of 12.1 and Factory, but not on older versions.
#11: Duncan Mac-Vicar (dmacvicar) (2011-12-05 09:59:45) (reply to #10)
Oh, I just realized this commit is only a few days old. This should
enable NTLM support, but it needs to be tested. It will be in next
openSUSE, SLE service pack or major version. If we need a backport we
can do it, but it needs to be tested.
commit 3524f4d265a9c697fb201977f60cc7eba3570250
Author: Michael Andres