[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword and non-ASCII characters

To: Peter Marschall <peter@adpm.de>
Subject: Re: userPassword and non-ASCII characters
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 21 May 2003 18:05:59 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <200305211529.38993.peter@adpm.de>

If the application knows the password is textual, it should
1) trancode the string to Unicode, 2) prepare the string for
matching (by the octetStringMatch rule), 3) and encode using
UTF-8.  To prepare the string, minimally normalize the
string to Form KC.   Presently, the IETF is considering
recommending that the SASLprep algorithm here.  See
draft-ietf-sasl-saslprep-xx.txt for details (available
at http://www.ietf.org/).

Kurt

At 06:29 AM 5/21/2003, Peter Marschall wrote:
>Hi,
>
>How should I encoded strings containing non-ASCII characters
>that I want to store in the userPassword attribute.
>I have searched the RFCs but I have not found whether I have 
>to encode the value in UTF-8 before stroing it in the value or not.
>
>If I do not encode it in UTF-8 I may end up with another password 
>when sitting on a keyboard with another locale.
>If I do, does it conform to the octetString syntax ?
>
>Or shall I store / request it using the ;binary option ?
>
>
>Speaking of the ;binary option:
>RFC2251 states:
>
>4.3.1  Binary Transfer of Values
>
>   This encoding format is used if the binary encoding is requested by
>   the client for an attribute, or if the attribute syntax name is
>   "1.3.6.1.4.1.1466.115.121.1.5".  The contents of the LDAP
>   AttributeValue or AssertionValue field is a BER-encoded instance of
>   the attribute value or a matching rule assertion value ASN.1 data
>   type as defined for use with X.500. (The first byte inside the OCTET
>   STRING wrapper is a tag octet.  However, the OCTET STRING is still
>   encoded in primitive form.)
>
>   All servers MUST implement this form for both generating attribute
>   values in search responses, and parsing attribute values in add,
>   compare and modify requests, if the attribute type is recognized and
>   the attribute syntax name is that of Binary.  Clients which request
>   that all attributes be returned from entries MUST be prepared to
>   receive values in binary (e.g. userCertificate;binary), and SHOULD
>   NOT simply display binary or unrecognized values to users.
>
>Does this mean I am free to store and request any attribute either in
>its normal form or in binary and the server has to give it to me the
>way I want it ?
>
>Does that mean that the server has to UTF8-decode regular strings
>when binary transfer was requested ?
>
>Does OpenLDAP support it ? 
>My tests with ldapsearch indicate it doesn't, but maybe I misunderstood it.
>
>Peter
>-- 
>Peter Marschall
>eMail: peter@adpm.de

Follow-Ups:
- Re: userPassword and non-ASCII characters
  - From: Peter Marschall <peter@adpm.de>

References:
- userPassword and non-ASCII characters
  - From: Peter Marschall <peter@adpm.de>

Prev by Date: Re: LDAPSubentry
Next by Date: Re: LDAP Queries
Index(es):
- Chronological
- Thread