LDAP logins with non us-ascii characters in passwords fail

LDAP logins with non us-ascii characters in passwords fail

am 26.03.2010 17:23:43 von Chris Franks

Hi,

We're experiencing problems authenticating users with complex characters (8=
bit character outside the us-ascii set e.g. pound-sterling symbol) in thei=
r password.

We're running Apache 2.2.3 on UNIX and, for Kerberos, running kinit from th=
e command line authenticates users correctly (including users with complex =
characters in their password). Through Apache though using Kerberos or LDA=
P, we're getting login failures only for this subset of users. For LDAP au=
thentication, mod_authz_ldap logs:

[Fri Mar 26 14:24:33 2010] [error] [client 128.240.56.105] [10639] bind as =
CN=3Duser,OU=3DUsers,DC=3Dncl,DC=3Dac,DC=3Duk failed: 49
[Fri Mar 26 14:24:33 2010] [error] [client 128.240.56.105] [10639] basic LD=
AP authentication of user 'user' failed

This would suggest that some translation of the password between the basic-=
auth and the LDAP server is not working. Because we can use kinit successf=
ully on the command line for Kerberos I'm pretty much ruling out the operat=
ing system (CENTOS) and was wondering if anyone has any experience of this =
kind of problem with Apache?

Or LDAP servers are windows active directory, a mix of Windows 2003 and 200=
8 Server. The web servers are running CENTOS Linux with an off-the-shelf C=
ENTOS Apache and mod_authz_ldap.

Is anyone experiencing similar problems?

Thanks,

Chris
Newcastle University

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP logins with non us-ascii characters in

am 26.03.2010 17:29:44 von Eric Covener

On Fri, Mar 26, 2010 at 12:23 PM, Chris Franks
wrote:
> Hi,
>
> We're experiencing problems authenticating users with complex characters =
(8 bit character outside the us-ascii set e.g. pound-sterling symbol) in th=
eir password.
>
> We're running Apache 2.2.3 on UNIX and, for Kerberos, running kinit from =
the command line authenticates users correctly (including users with comple=
x characters in their password). =A0Through Apache though using Kerberos or=
LDAP, we're getting login failures only for this subset of users. =A0For L=
DAP authentication, mod_authz_ldap logs:
>
> [Fri Mar 26 14:24:33 2010] [error] [client 128.240.56.105] [10639] bind a=
s CN=3Duser,OU=3DUsers,DC=3Dncl,DC=3Dac,DC=3Duk failed: 49
> [Fri Mar 26 14:24:33 2010] [error] [client 128.240.56.105] [10639] basic =
LDAP authentication of user 'user' failed
>
> This would suggest that some translation of the password between the basi=
c-auth and the LDAP server is not working. =A0Because we can use kinit succ=
essfully on the command line for Kerberos I'm pretty much ruling out the op=
erating system (CENTOS) and was wondering if anyone has any experience of t=
his kind of problem with Apache?

mod_authnz_ldap has some code that allows Apache to try to guess what
non-utf8 charset the username or password (development branch only I
believe) might have been transmitted in. See
https://issues.apache.org/bugzilla/show_bug.cgi?id=3D45318 or
http://httpd.apache.org/docs/2.1/mod/mod_authnz_ldap.html#au thldapcharsetco=
nfig


--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org