I'm not very LDAP experienced, but nevertheless I see some problems: * Brad Nicholes wrote:
> Attached is the first attempt at allowing user ID's with extended characters > as a valid login ID. Some browsers cannot use non-ascii characters (they cut as the first occurence). But that's probably a browser problem and not should not be subject of discussion. Next: IIRC should characters that are not ISO-8859-1 be sent as RFC 2047 encoded words. Actually I don't know a browser, that does that, but... > There are still problems with allowing extended > characters in passwords hmm. password data should be opaque 8-bit, shouldn't it? > This patch adds a new directive "AuthLDAPConvertFromLanguage" to > mod_auth_ldap that allows the admin to either define a specific language > when converting the user ID to UTF8 of try to derive the language from the > header. *hrm*. That should be splitted. You should not hardcode any assignments between a language and a charset. For example, the charset of 'de' may be iso-8859-1 or iso-8859-15 or utf-7 or utf-8 or somewhat (windows-1252...). You should at least allow the admin to do the assignments himself (similar to mod_mime's AddLanguage). > It allows the admin to specify "use-header" which will attempt to > determine which language to convert from, by parsing the accept-language > header from the request. Once the user ID has been converted to UTF8, > authentication is performed against the LDAP directory using the raw > password as it was recieved in the request. I have considered allowing the > admin to specify the "to" language since the UTF8 language ID is iconv() > implementation dependant and may not be the same on all platforms. Just a Note (may be relevant for the user): Here seems to be some confusion. UTF-8 is *not* a language, it's a character encoding, or mime-speaking a charset. One issue of the patch itself: + if (convset) { + inbytes = strlen(user); + outbytes = (inbytes+1)*2; + outbuf = apr_pcalloc(r->pool, outbytes); + + /* Convert the user name to UTF-8. This is only valid for LDAP v3 */ + if (convset && (apr_xlate_conv_buffer(convset, user, &inbytes, outbuf, &outbytes) == APR_SUCCESS)) { + user = apr_pstrdup(r->pool, outbuf); + } + } outbytes seems to be too small. UTF-8 may require more than the double space of the original string. (at least 3 times more). my 0.02 ¤ ([EUR] not present in iso-8859-1 ;-) nd -- If God intended people to be naked, they would be born that way. -- Oscar Wilde