subject:"RE\: \[squid\-users\] LDAP Authentication with Umlauts"

RE: [squid-users] LDAP Authentication with Umlauts

2008-07-07 Thread Henrik Nordstrom

On fre, 2008-07-04 at 10:30 +0200, Henrik Nordstrom wrote:
> On tor, 2008-07-03 at 12:39 +0200, [EMAIL PROTECTED] wrote:
> > Hi,
> > 
> > I also had problems with umlauts. We use our Lotus Domino Server as LDAP 
> > server and since an update from version 6.5 to 8, our users are unable to 
> > authenticate via IE or Firefox if their password contains umlauts.
> > We are running squid on BSD and Linux and on both system you are able to 
> > authenticate using squid_ldap_auth on command line.
> > I figured out that if you use the command line (set to utf-8) the utf-8 
> > code will be send and if you try to use IE or Firefox the ASCII code will 
> > be send.
> > So I wrote a small work around by adding a new function 
> > rfc1738_unescape_with_utf to squid_ldap_auth.c. The base content is the 
> > original function rfc1738_unescape, but I added a switch statement to 
> > change the character representation from ascii to utf-8 (see code for 
> > german special chars below).
> 
> Can you try the attached patch instead? It tries to address the problem
> in a generic manner.

After thinking this over a bit more your approach of translating to utf8
at input is better. But even better is to do it in Squid before the
request is sent instead of each helper..

I have now committed a change adding generic UTF-8 transpation to
Squid-2 & 3, adding an auth_param basic utf8 parameter to enable UTF-8
translation of usernames & passwords.

http://www.squid-cache.org/Versions/v2/HEAD/changesets/12298.patch

Regards
Henrik


signature.asc
Description: This is a digitally signed message part

RE: [squid-users] LDAP Authentication with Umlauts

2008-07-04 Thread Henrik Nordstrom

On tor, 2008-07-03 at 12:39 +0200, [EMAIL PROTECTED] wrote:
> Hi,
> 
> I also had problems with umlauts. We use our Lotus Domino Server as LDAP 
> server and since an update from version 6.5 to 8, our users are unable to 
> authenticate via IE or Firefox if their password contains umlauts.
> We are running squid on BSD and Linux and on both system you are able to 
> authenticate using squid_ldap_auth on command line.
> I figured out that if you use the command line (set to utf-8) the utf-8 
> code will be send and if you try to use IE or Firefox the ASCII code will 
> be send.
> So I wrote a small work around by adding a new function 
> rfc1738_unescape_with_utf to squid_ldap_auth.c. The base content is the 
> original function rfc1738_unescape, but I added a switch statement to 
> change the character representation from ascii to utf-8 (see code for 
> german special chars below).

Can you try the attached patch instead? It tries to address the problem
in a generic manner.

Regards
Henrik
Index: helpers/basic_auth/LDAP/squid_ldap_auth.c
===
RCS file: /cvsroot/squid/squid/helpers/basic_auth/LDAP/squid_ldap_auth.c,v
retrieving revision 1.35
diff -u -p -r1.35 squid_ldap_auth.c
--- helpers/basic_auth/LDAP/squid_ldap_auth.c	27 Aug 2007 14:52:51 -	1.35
+++ helpers/basic_auth/LDAP/squid_ldap_auth.c	4 Jul 2008 08:29:16 -
@@ -608,24 +608,37 @@ static int
 ldap_escape_value(char *escaped, int size, const char *src)
 {
 int n = 0;
-while (size > 4 && *src) {
-	switch (*src) {
+unsigned char ch;
+while (size > 1 && (ch = (unsigned char) *src++) != 0) {
+	switch (ch) {
 	case '*':
 	case '(':
 	case ')':
 	case '\\':
+	if (size < 4)
+		break;
 	n += 3;
 	size -= 3;
 	if (size > 0) {
-		*escaped++ = '\\';
-		snprintf(escaped, 3, "%02x", (unsigned char) *src++);
-		escaped += 2;
+		snprintf(escaped, 4, "\\%02x", ch);
+		escaped += 3;
 	}
 	break;
 	default:
-	*escaped++ = *src++;
-	n++;
-	size--;
+	if (ch < 0x80) {
+		*escaped++ = ch;
+		n++;
+		size--;
+	} else {
+		if (size < 7)
+		break;
+		snprintf(escaped, 7, "\\%02x\\%02x",
+		(ch >> 6) | 0xc0,
+		(ch & 0x3f) | 0x80);
+		escaped += 6;
+		n += 6;
+		size -= 6;
+	}
 	}
 }
 *escaped = '\0';
@@ -656,7 +669,7 @@ checkLDAP(LDAP * persistent_ld, const ch
 	LDAPMessage *res = NULL;
 	LDAPMessage *entry;
 	char *searchattr[] =
-	{(char *)LDAP_NO_ATTRS, NULL};
+	{(char *) LDAP_NO_ATTRS, NULL};
 	char *userdn;
 	int rc;
 	LDAP *search_ld = persistent_ld;
Index: helpers/digest_auth/ldap/ldap_backend.c
===
RCS file: /cvsroot/squid/squid/helpers/digest_auth/ldap/ldap_backend.c,v
retrieving revision 1.6
diff -u -p -r1.6 ldap_backend.c
--- helpers/digest_auth/ldap/ldap_backend.c	13 Aug 2007 09:20:13 -	1.6
+++ helpers/digest_auth/ldap/ldap_backend.c	4 Jul 2008 08:29:16 -
@@ -160,24 +160,37 @@ static int
 ldap_escape_value(char *escaped, int size, const char *src)
 {
 int n = 0;
-while (size > 4 && *src) {
-	switch (*src) {
+unsigned char ch;
+while (size > 1 && (ch = (unsigned char) *src++) != 0) {
+	switch (ch) {
 	case '*':
 	case '(':
 	case ')':
 	case '\\':
+	if (size < 4)
+		break;
 	n += 3;
 	size -= 3;
 	if (size > 0) {
-		*escaped++ = '\\';
-		snprintf(escaped, 3, "%02x", (int) *src++);
-		escaped += 2;
+		snprintf(escaped, 4, "\\%02x", ch);
+		escaped += 3;
 	}
 	break;
 	default:
-	*escaped++ = *src++;
-	n++;
-	size--;
+	if (ch < 0x80) {
+		*escaped++ = ch;
+		n++;
+		size--;
+	} else {
+		if (size < 7)
+		break;
+		snprintf(escaped, 7, "\\%02x\\%02x",
+		(ch >> 6) | 0xc0,
+		(ch & 0x3f) | 0x80);
+		escaped += 6;
+		n += 6;
+		size -= 6;
+	}
 	}
 }
 *escaped = '\0';
Index: helpers/external_acl/ldap_group/squid_ldap_group.c
===
RCS file: /cvsroot/squid/squid/helpers/external_acl/ldap_group/squid_ldap_group.c,v
retrieving revision 1.16
diff -u -p -r1.16 squid_ldap_group.c
--- helpers/external_acl/ldap_group/squid_ldap_group.c	18 Mar 2008 02:44:56 -	1.16
+++ helpers/external_acl/ldap_group/squid_ldap_group.c	4 Jul 2008 08:29:16 -
@@ -608,24 +608,37 @@ static int
 ldap_escape_value(char *escaped, int size, const char *src)
 {
 int n = 0;
-while (size > 4 && *src) {
-	switch (*src) {
+unsigned char ch;
+while (size > 1 && (ch = (unsigned char) *src++) != 0) {
+	switch (ch) {
 	case '*':
 	case '(':
 	case ')':
 	case '\\':
+	if (size < 4)
+		break;
 	n += 3;
 	size -= 3;
 	if (size > 0) {
-		*escaped++ = '\\';
-		snprintf(escaped, 3, "%02x", (unsigned char) *src++);
-		escaped += 2;
+		snprintf(escaped, 4, "\\%02x", ch);
+		escaped += 3;
 	}
 	break;
 	default:
-	*escaped++ = *src++;
-	n++;
-	size--;
+	if (ch < 0x80) {
+		*escaped++ = ch;
+		n

RE: [squid-users] LDAP Authentication with Umlauts

2008-07-03 Thread Henrik Nordstrom

On tor, 2008-07-03 at 12:39 +0200, [EMAIL PROTECTED] wrote:
> Hi,
> 
> I also had problems with umlauts. We use our Lotus Domino Server as LDAP 
> server and since an update from version 6.5 to 8, our users are unable to 
> authenticate via IE or Firefox if their password contains umlauts.

HTTP authentication uses ISO-8859-1, while LDAP uses UTF-8..

Regards
Henrik


signature.asc
Description: This is a digitally signed message part

RE: [squid-users] LDAP Authentication with Umlauts

2008-07-03 Thread enrico . hoyme

Hi,

I also had problems with umlauts. We use our Lotus Domino Server as LDAP 
server and since an update from version 6.5 to 8, our users are unable to 
authenticate via IE or Firefox if their password contains umlauts.
We are running squid on BSD and Linux and on both system you are able to 
authenticate using squid_ldap_auth on command line.
I figured out that if you use the command line (set to utf-8) the utf-8 
code will be send and if you try to use IE or Firefox the ASCII code will 
be send.
So I wrote a small work around by adding a new function 
rfc1738_unescape_with_utf to squid_ldap_auth.c. The base content is the 
original function rfc1738_unescape, but I added a switch statement to 
change the character representation from ascii to utf-8 (see code for 
german special chars below).

void
rfc1738_unescape_with_utf(char *s)
{
char hexnum[3];
int i, j;   /* i is write, j is read */
unsigned int x;
for (i = j = 0; s[j]; i++, j++) {
s[i] = s[j];
if (s[i] != '%')
continue;
if (s[j + 1] == '%') {  /* %% case */
j++;
continue;
}
if (s[j + 1] && s[j + 2]) {
if (s[j + 1] == '0' && s[j + 2] == '0') {   /* %00 case */
j += 2;
continue;
}
hexnum[0] = s[j + 1];
hexnum[1] = s[j + 2];
hexnum[2] = '\0';
if (1 == sscanf(hexnum, "%x", &x)) {
switch(x) {
case 196 :
s[i] = (char) 195;
s[i + 1] = (char) 132;
i++;
break;
case 214 :
s[i] = (char) 195;
s[i + 1] = (char) 150;
i++;
break;
case 220 :
s[i] = (char) 195;
s[i + 1] = (char) 156;
i++;
break;
case 223 :
s[i] = (char) 195;
s[i + 1] = (char) 159;
i++;
break;
case 228 :
s[i] = (char) 195;
s[i + 1] = (char) 164;
i++;
break;
case 246 :
s[i] = (char) 195;
s[i + 1] = (char) 182;
i++;
break;
case 252 :
s[i] = (char) 195;
s[i + 1] = (char) 188;
i++;
break;
default :
s[i] = (char) (0x0ff & x);
}
j += 2;
}
}
}
s[i] = '\0';
}

Regards

Enrico Hoyme

RE: [squid-users] LDAP Authentication with Umlauts

RE: [squid-users] LDAP Authentication with Umlauts

RE: [squid-users] LDAP Authentication with Umlauts

RE: [squid-users] LDAP Authentication with Umlauts

4 matches

Site Navigation

Mail list logo

Footer information