Bug 45318

Summary: mod_authnz_ldap does not convert passwords to UTF-8
Product: Apache httpd-2 Reporter: Johannes Müller <joh_m>
Component: mod_authn_ldapAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: minor CC: apache-bugs, covener, rederpj
Priority: P2 Keywords: FixedInTrunk
Version: 2.2.9   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: Patch to support converting passwords to UTF-8 in mod_authnz_ldap.c

Description Johannes Müller 2008-07-01 10:06:51 UTC 
Created attachment 22202 [details]
Patch to support converting passwords to UTF-8 in mod_authnz_ldap.c

Hello,

we are using basic authentication against an LDAPv3 server, which talks UTF-8.

The authentication fails, if a user has special characters in his password (like the paragraph character §).
This is 0xA7 in ISO-8859-1 from the client, but should be 0xC2A7 in UTF-8 to the directory server.
This happens with every character, which is not ASCII, because it is a two-byte character then. (First bit is always 0 in UTF-8 for one-byte characters)

mod_authnz_ldap only converts usernames correctly (if given "AuthLDAPCharsetConfig conf/charset.conv"), but not passwords!

I have written a patch against httpd 2.2.9.
See attachments.


========
LOG FILE
========
[Thu Jun 26 18:18:51 2008] [debug] mod_authnz_ldap.c(376): [client 10.192.120.192] [30522] auth_ldap authenticate: using URL ldap://ldap.intranet.mycompany.com:38
9/ou=Users,o=MYCOMPANY,c=de?uid?sub
[Thu Jun 26 18:18:54 2008] [warn] [client 10.192.120.192] [30522] auth_ldap authenticate: user J23259 authentication failed; URI /webhosting/ [ldap_simple_bin
d_s() to check user credentials failed][Invalid credentials]
[Thu Jun 26 18:18:54 2008] [error] [client 10.192.120.192] user J23259: authentication failure for "/webhosting/": Password Mismatch
Comment 1 Eric Covener 2008-07-01 10:14:42 UTC 
out of curiousity, what client are you using and does it synch up with
the settings in /docs/conf/charset.conv ?
Comment 2 Johannes Müller 2008-07-01 12:12:29 UTC 
(In reply to comment #1)
> out of curiousity, what client are you using and does it synch up with
> the settings in /docs/conf/charset.conv ?
> 

We tried with Internet Explorer 6 and Mozilla Firefox.
The client always sends authentication data in ISO-8859-1.

What do you mean by "synch up with the settings"?
Comment 3 Brad Nicholes 2008-07-01 13:15:30 UTC 
Just as a bit of background, when I added the support for UTF-8 user names, I didn't bother with converting the password as well because the Novell LDAP implementation couldn't handle UTF-8 passwords.  I'm not sure about other LDAP implementations but my assumptions is that a UTF-8 password may not work everywhere.
Comment 4 Johannes Müller 2008-07-01 13:42:23 UTC 
(In reply to comment #3)
> Just as a bit of background, when I added the support for UTF-8 user names, I
> didn't bother with converting the password as well because the Novell LDAP
> implementation couldn't handle UTF-8 passwords.  I'm not sure about other LDAP
> implementations but my assumptions is that a UTF-8 password may not work
> everywhere.
> 

We use Novell eDirectory AFAIK.
Anyway, if an LDAP implementation cannot handle UTF-8 passwords it would be alright, because in this case you wouldn't have to convert anything would you?
Comment 5 Stefan Fritsch 2010-01-24 13:53:27 UTC 
fixed in trunk in r902654
Comment 6 Stefan Fritsch 2010-08-18 15:46:35 UTC 
*** Bug 48017 has been marked as a duplicate of this bug. ***
Comment 7 Stefan Fritsch 2010-10-07 13:31:49 UTC 
backported in r1005537, will be in 2.2.17
Comment 8 William A. Rowe Jr. 2010-10-07 13:33:07 UTC 
Backported to 2.2.17