httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Astrid Kessler <>
Subject Re: [PATCH-3] Allowing extended characters in LDAP authentication...
Date Thu, 12 Dec 2002 21:07:24 GMT
>    The charset conversion that is happening in LDAP is actually quite
> specialized.  The general functionality of converting from one charset
> to another already exists in APR in the form of apr_xlat_xxx().  LDAP is
> only interested in converting the user ID from a given charset to UTF-8.
>  Up until auth_ldap calls ap_get_basic_auth_pw(), the user ID and
> password are encrypted in the "Authentication" header entry.  Until the
> user ID and password have been decrypted, the conversion to UTF-8 can
> not occur.  Therefore the conversion must take place from within
> auth_ldap or any other authentication module after decrypting the user
> information.  A module or filter outside of the authentication module
> that does a blind charset conversion on the header information, would
> not work because it would not be able to decrypt the user ID and
> password, convert it and re-encrypt it in order to make the process
> transparent to all authentication modules.  

Well you are right, that you first have to decrypt the authentication 
information before you are able to do charset conversion. And I overlooked 
that a conversion function already exists, which you are using. My 
suggestions have been a little bit inconsideratly. Let me try to explain.

>    I do agree that we need some type of functionality that will convert
> requests made in a particular charset to a universal charset that Apache
> can rely on.  I'm just not sure this is it.  It seems to work for
> auth_LDAP, but I'm not sure how to generalize it.  This is where a much
> broader discussion need to take place.

I still think mod_auth_ldap won't be the only module doing charset 
conversion on headers. Or say, the authentication header might not stay the 
only header which needs to be converted. But if we want to convert headers 
and we have to guess the incoming charset, we will need a general 
assignment table, not only for mod_auth_ldap but for all modules interested 
in converting headers. Or with other words, your conf file might move to 
another module at a later time. Which could also be done now. 

But maybe this patch is not the right place to discuss a general new 


View raw message