Re: Bind Probs, slappaswd vs. LDAPAdmin Password value [Resolved]

[Michael Ströder <michael@stroeder.com>]

Max Merighi wrote:
> I got it figured out... you must not use special chars like '§' in
> userPassword! One day lost for stupid a thing like that.

Oh, yeah.

Again this is one of my favourites: userPassword is declared as OctetString 
and therefore has no specific character set/encoding defined for it.

> Apparently W32
> clients can use these chars in passwords only if hashed by themselves
> (i.e. LDAPAdmin),

Well, you could tell the author of LDAPAdmin that he/she should convert 
user's keyboard input to UTF-8 *before* calculating the SHA-1 hash. That's 
what I'm doing in web2ldap.

BTW: Every LDAP client should convert user's keyboard input to UTF-8 
*before* sending it to a LDAP server, e.g. in a BindRequest. Unfortunately 
there's nothing in the LDAPv3 standard telling you to do it. So every 
software can do any mess it wants and still be compliant to LDAPv3. I once 
tried to change that but didn't succeed (see ldap-bis mailing list archives 
for the discussion).

> since I'm a good boy and using
> /realy/ strong passwords. Moral of the story: Being a good boy doesn't
> always pay :-)

Don't give up! For what it's worth... ;-)

Ciao, Michael.