httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Malo>
Subject Re: [PATCH] Allowing extended characters in LDAP authentication...
Date Fri, 06 Dec 2002 22:36:26 GMT
I'm not very LDAP experienced, but nevertheless I see some problems:

* Brad Nicholes wrote:

> Attached is the first attempt at allowing user ID's with extended characters
> as a valid login ID.

Some browsers cannot use non-ascii characters (they cut as the first 
occurence). But that's probably a browser problem and not should not be 
subject of discussion.

Next: IIRC should characters that are not ISO-8859-1 be sent as RFC 2047 
encoded words. Actually I don't know a browser, that does that, but...

> There are still problems with allowing extended
> characters in passwords

hmm. password data should be opaque 8-bit, shouldn't it?

> This patch adds a new directive "AuthLDAPConvertFromLanguage" to
> mod_auth_ldap that allows the admin to either define a specific language
> when converting the user ID to UTF8 of try to derive the language from the
> header.

*hrm*. That should be splitted. You should not hardcode any assignments 
between a language and a charset. For example, the charset of 'de' may be 
iso-8859-1 or iso-8859-15 or utf-7 or utf-8 or somewhat (windows-1252...).
You should at least allow the admin to do the assignments himself (similar 
to mod_mime's AddLanguage). 

> It allows the admin to specify "use-header" which will attempt to
> determine which language to convert from, by parsing the accept-language
> header from the request.  Once the user ID has been converted to UTF8,
> authentication is performed against the LDAP directory using the raw
> password as it was recieved in the request.  I have considered allowing the
> admin to specify the "to" language since the UTF8 language ID is iconv()
> implementation dependant and may not be the same on all platforms.

Just a Note (may be relevant for the user):
Here seems to be some confusion. UTF-8 is *not* a language, it's a 
character encoding, or mime-speaking a charset.

One issue of the patch itself:

+    if (convset) {
+        inbytes = strlen(user);
+        outbytes = (inbytes+1)*2;
+        outbuf = apr_pcalloc(r->pool, outbytes);
+        /* Convert the user name to UTF-8.  This is only valid for LDAP v3 
+        if (convset && (apr_xlate_conv_buffer(convset, user, &inbytes, 
outbuf, &outbytes) == APR_SUCCESS)) {
+            user = apr_pstrdup(r->pool, outbuf);
+        }
+    }

outbytes seems to be too small. UTF-8 may require more than the double 
space of the original string. (at least 3 times more).

my 0.02 € ([EUR] not present in iso-8859-1 ;-)

If God intended people to be naked, they would be born that way.
  -- Oscar Wilde

View raw message