httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <>
Subject [PATCH-2] Allowing extended characters in LDAP authentication...
Date Tue, 10 Dec 2002 00:12:12 GMT
    Second cut at allowing extended characters.  The name of the directive changed to "AuthLDAPCharsetConversion"
rather than "AuthLDAPConvertFromLanguage" since it is mainly dealing with character sets rather
than languages.  It also changed from an AP_INIT_TAKE1 to and AP_INIT_TAKE12 to allow for
an optional "to" character set rather than assuming "utf8".  If no "to" character set is given
then it will default to "utf8".  Also the output buffer for the conversion to UTF8 is larger.

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions 

>>> Friday, December 06, 2002 3:36:26 PM >>>
I'm not very LDAP experienced, but nevertheless I see some problems:

* Brad Nicholes wrote:

> Attached is the first attempt at allowing user ID's with extended characters
> as a valid login ID.

Some browsers cannot use non-ascii characters (they cut as the first 
occurence). But that's probably a browser problem and not should not be 
subject of discussion.

Next: IIRC should characters that are not ISO-8859-1 be sent as RFC 2047 
encoded words. Actually I don't know a browser, that does that, but...

> There are still problems with allowing extended
> characters in passwords

hmm. password data should be opaque 8-bit, shouldn't it?

> This patch adds a new directive "AuthLDAPConvertFromLanguage" to
> mod_auth_ldap that allows the admin to either define a specific language
> when converting the user ID to UTF8 of try to derive the language from the
> header.

*hrm*. That should be splitted. You should not hardcode any assignments 
between a language and a charset. For example, the charset of 'de' may be 
iso-8859-1 or iso-8859-15 or utf-7 or utf-8 or somewhat (windows-1252...).
You should at least allow the admin to do the assignments himself (similar 
to mod_mime's AddLanguage). 

> It allows the admin to specify "use-header" which will attempt to
> determine which language to convert from, by parsing the accept-language
> header from the request.  Once the user ID has been converted to UTF8,
> authentication is performed against the LDAP directory using the raw
> password as it was recieved in the request.  I have considered allowing the
> admin to specify the "to" language since the UTF8 language ID is iconv()
> implementation dependant and may not be the same on all platforms.

Just a Note (may be relevant for the user):
Here seems to be some confusion. UTF-8 is *not* a language, it's a 
character encoding, or mime-speaking a charset.

One issue of the patch itself:

+    if (convset) {
+        inbytes = strlen(user);
+        outbytes = (inbytes+1)*2;
+        outbuf = apr_pcalloc(r->pool, outbytes);
+        /* Convert the user name to UTF-8.  This is only valid for LDAP v3 
+        if (convset && (apr_xlate_conv_buffer(convset, user, &inbytes, 
outbuf, &outbytes) == APR_SUCCESS)) {
+            user = apr_pstrdup(r->pool, outbuf);
+        }
+    }

outbytes seems to be too small. UTF-8 may require more than the double 
space of the original string. (at least 3 times more).

my 0.02 ยค ([EUR] not present in iso-8859-1 ;-)

If God intended people to be naked, they would be born that way.
  -- Oscar Wilde

View raw message