httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <>
Subject Re: [PATCH-3] Allowing extended characters in LDAP authentication...
Date Thu, 12 Dec 2002 22:59:29 GMT
   You are absolutely right, there are other modules that need to do header conversion.  In
a previous email, Bill Rowe pointed out that WebDAV also suffers from charset mismatch, but
in a different way than auth_ldap.  WebDAV needs the URI converted as well as other header
entries in order to function correctly.  A generalized solution needs to be worked out, but
even a generalized header conversion solution still may not solve the problem for authentication
modules because of the fact that the authentication data conversion needs to be done at the
point when the data is decrypted.  In order to solve WebDAV's problem, the scope of this discussion
needs to be much broader.  Any ideas??

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions 

>>> Thursday, December 12, 2002 2:07:24 PM >>>
>    The charset conversion that is happening in LDAP is actually quite
> specialized.  The general functionality of converting from one charset
> to another already exists in APR in the form of apr_xlat_xxx().  LDAP is
> only interested in converting the user ID from a given charset to UTF-8.
>  Up until auth_ldap calls ap_get_basic_auth_pw(), the user ID and
> password are encrypted in the "Authentication" header entry.  Until the
> user ID and password have been decrypted, the conversion to UTF-8 can
> not occur.  Therefore the conversion must take place from within
> auth_ldap or any other authentication module after decrypting the user
> information.  A module or filter outside of the authentication module
> that does a blind charset conversion on the header information, would
> not work because it would not be able to decrypt the user ID and
> password, convert it and re-encrypt it in order to make the process
> transparent to all authentication modules.  

Well you are right, that you first have to decrypt the authentication 
information before you are able to do charset conversion. And I overlooked 
that a conversion function already exists, which you are using. My 
suggestions have been a little bit inconsideratly. Let me try to explain.

>    I do agree that we need some type of functionality that will convert
> requests made in a particular charset to a universal charset that Apache
> can rely on.  I'm just not sure this is it.  It seems to work for
> auth_LDAP, but I'm not sure how to generalize it.  This is where a much
> broader discussion need to take place.

I still think mod_auth_ldap won't be the only module doing charset 
conversion on headers. Or say, the authentication header might not stay the 
only header which needs to be converted. But if we want to convert headers 
and we have to guess the incoming charset, we will need a general 
assignment table, not only for mod_auth_ldap but for all modules interested 
in converting headers. Or with other words, your conf file might move to 
another module at a later time. Which could also be done now. 

But maybe this patch is not the right place to discuss a general new 


View raw message