httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Re: [PATCH-3] Allowing extended characters in LDAP authentication...
Date Thu, 12 Dec 2002 22:59:29 GMT
   You are absolutely right, there are other modules that need to do
header conversion.  In a previous email, Bill Rowe pointed out that
WebDAV also suffers from charset mismatch, but in a different way than
auth_ldap.  WebDAV needs the URI converted as well as other header
entries in order to function correctly.  A generalized solution needs to
be worked out, but even a generalized header conversion solution still
may not solve the problem for authentication modules because of the fact
that the authentication data conversion needs to be done at the point
when the data is decrypted.  In order to solve WebDAV's problem, the
scope of this discussion needs to be much broader.  Any ideas??





Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

>>> kess@kess-net.de Thursday, December 12, 2002 2:07:24 PM >>>
>    The charset conversion that is happening in LDAP is actually
quite
> specialized.  The general functionality of converting from one
charset
> to another already exists in APR in the form of apr_xlat_xxx().  LDAP
is
> only interested in converting the user ID from a given charset to
UTF-8.
>  Up until auth_ldap calls ap_get_basic_auth_pw(), the user ID and
> password are encrypted in the "Authentication" header entry.  Until
the
> user ID and password have been decrypted, the conversion to UTF-8
can
> not occur.  Therefore the conversion must take place from within
> auth_ldap or any other authentication module after decrypting the
user
> information.  A module or filter outside of the authentication
module
> that does a blind charset conversion on the header information,
would
> not work because it would not be able to decrypt the user ID and
> password, convert it and re-encrypt it in order to make the process
> transparent to all authentication modules.  

Well you are right, that you first have to decrypt the authentication 
information before you are able to do charset conversion. And I
overlooked 
that a conversion function already exists, which you are using. My 
suggestions have been a little bit inconsideratly. Let me try to
explain.

>    I do agree that we need some type of functionality that will
convert
> requests made in a particular charset to a universal charset that
Apache
> can rely on.  I'm just not sure this is it.  It seems to work for
> auth_LDAP, but I'm not sure how to generalize it.  This is where a
much
> broader discussion need to take place.

I still think mod_auth_ldap won't be the only module doing charset 
conversion on headers. Or say, the authentication header might not stay
the 
only header which needs to be converted. But if we want to convert
headers 
and we have to guess the incoming charset, we will need a general 
assignment table, not only for mod_auth_ldap but for all modules
interested 
in converting headers. Or with other words, your conf file might move
to 
another module at a later time. Which could also be done now. 

But maybe this patch is not the right place to discuss a general new 
feature.

Kess

Mime
View raw message