UPN (kerberos-style) usernames and domain

Question

UPN (kerberos-style) usernames and domain

slukovic opened this issue 8 years ago · 3 comments

Hi,

I have to connect to a mail server (Exchange) where emails are used as usernames. At the moment HttpNtlmAuth constructor finds @ in my username here and splits it into a domain and username pair.

This was added in @nitzmahone's pull request #68.

In this particular case this is incorrect as domain should be empty. But it may also be incorrect in the general case. According to this, domain should always be empty when username is in kerberos-style format.

It is easy to work around this as I can change domain after HttpNtlmAuth was constructed. But should we add optional domain parameter to the constructor and/or not split usernames?

Regards,
Srdan

λ pip freeze | grep ntlm
ntlm-auth==1.0.2
requests-ntlm==1.0.0

Answer 1 · 2016-12-12T15:44:24.000Z

Ultimately, I'm not sure.

The document you linked points out that there is an unavoidable ambiguity here: there are multiple possible parsing variations that ultimately look the same and cannot be reliably distinguished. That does rather suggest that taking an optional domain parameter in the constructor would be the way to go.

I'd be open to merging a PR that adds that functionality.

Answer 2 · 2016-12-13T15:47:34.000Z

Hi guys,

I pushed a provisional commit. I left two comments there. I wasn't sure about backwards compatibility of __init__ and what should be the default domain.

Answer 3 · 2017-10-18T00:17:56.000Z

The v1.1.0 release contains the fix for correctly parsing UPN usernames.