[Issue 9523] New: In OpenLDAP, the password length check counts accented characters (UTF-8) as two characters instead of one

11 Apr 2021


      https://bugs.openldap.org/show_bug.cgi?id=9523
Issue ID: 9523
           Summary: In OpenLDAP, the password length check counts accented
                    characters (UTF-8) as two characters instead of one
           Product: OpenLDAP
           Version: 2.4.40
          Hardware: x86_64
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: ---
         Component: slapd
          Assignee: bugs@openldap.org
          Reporter: anand.b.krishnamohan@gmail.com
  Target Milestone: ---
In OpenLDAP, the password length check counts accented characters (eg. è which
has UTF-8 Encoding of 0xC3 0xA8) as two characters instead of one. As a result,
if users enter accented characters, they can create passwords that are shorter
than the minimum length specified in the password policy.
We tested it directly in Apache Directory Studio and the same result. Is this a
bug or is there any setting in LDAP which makes sure the encoding is happening
in UTF-16?
Steps to reproduce
1. Access the LDAP in Apache Directory studio
2. Have the password policy to accept more than 8 characters
3. Try to update the password for a user to "àbcdefg" (7 characters)
Expected result: Fails with the error password length should be greater than 8
Actual result: It accepts the password
-- 
You are receiving this mail because:
You are on the CC list for the issue.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[Issue 9523] New: In OpenLDAP, the password length check counts accented characters (UTF-8) as two characters instead of one