I'm not very LDAP experienced, but nevertheless I see some problems:
* Brad Nicholes wrote:
> Attached is the first attempt at allowing user ID's with extended characters
> as a valid login ID.
Some browsers cannot use non-ascii characters (they cut as the first
occurence). But that's probably a browser problem and not should not be
subject of discussion.
Next: IIRC should characters that are not ISO-8859-1 be sent as RFC 2047
encoded words. Actually I don't know a browser, that does that, but...
> There are still problems with allowing extended
> characters in passwords
hmm. password data should be opaque 8-bit, shouldn't it?
> This patch adds a new directive "AuthLDAPConvertFromLanguage" to
> mod_auth_ldap that allows the admin to either define a specific language
> when converting the user ID to UTF8 of try to derive the language from the
> header.
*hrm*. That should be splitted. You should not hardcode any assignments
between a language and a charset. For example, the charset of 'de' may be
iso-8859-1 or iso-8859-15 or utf-7 or utf-8 or somewhat (windows-1252...).
You should at least allow the admin to do the assignments himself (similar
to mod_mime's AddLanguage).
> It allows the admin to specify "use-header" which will attempt to
> determine which language to convert from, by parsing the accept-language
> header from the request. Once the user ID has been converted to UTF8,
> authentication is performed against the LDAP directory using the raw
> password as it was recieved in the request. I have considered allowing the
> admin to specify the "to" language since the UTF8 language ID is iconv()
> implementation dependant and may not be the same on all platforms.
Just a Note (may be relevant for the user):
Here seems to be some confusion. UTF-8 is *not* a language, it's a
character encoding, or mime-speaking a charset.
One issue of the patch itself:
+ if (convset) {
+ inbytes = strlen(user);
+ outbytes = (inbytes+1)*2;
+ outbuf = apr_pcalloc(r->pool, outbytes);
+
+ /* Convert the user name to UTF-8. This is only valid for LDAP v3
*/
+ if (convset && (apr_xlate_conv_buffer(convset, user, &inbytes,
outbuf, &outbytes) == APR_SUCCESS)) {
+ user = apr_pstrdup(r->pool, outbuf);
+ }
+ }
outbytes seems to be too small. UTF-8 may require more than the double
space of the original string. (at least 3 times more).
my 0.02 ¤ ([EUR] not present in iso-8859-1 ;-)
nd
--
If God intended people to be naked, they would be born that way.
-- Oscar Wilde
