[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Debugging a user authentication

Hi Andrew,

Thanks for that explanation. I'm not 100% sure of which route to take. Now we're aware of the issue we can look for it in future.  Our password policy doesn't enforce special characters, but doesn't ban them either, so we may re-think this for the future.


-----Original Message-----
From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk] 
Sent: 17 November 2008 20:29
To: Adrian Marsh
Cc: openldap-technical@openldap.org
Subject: Re: Debugging a user authentication

On Fri, Nov 14, 2008 at 02:49:16PM -0000, Adrian Marsh wrote:

> I've diagnosed this issue. The user has a "£"  (UK Pound) in his password.
> Remove it and everything authenticates OK.

"£" is not a 7-bit character. You therefore run into problems with
character sets.

Almost everything in LDAP is defined to use UTF-8, but passwords have
always been Octet Strings (1) The effect of this is that passwords can
contain absolutely anything and it is the client system's problem to be
consistent about the character set.  That does not work in the general
case, as there are probably lots of client systems for each LDAP server
and they could all be using different character sets.

Thus your user's "£" character will translate into a different sequence
of bytes if the client is using UTF-8 from the sequence you would see
from an ISO-8859-1 client.

The only safe solution for most systems at the moment is to ban
non-ASCII (7-bit) characters in passwords :-(

(1): The latest LDAP spec introduced pwprep to solve this problem,
but hardly anything implements it yet. It will be many years before
you can depend on common LDAP clients doing itproperly.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |