On Fri, Nov 14, 2008 at 02:49:16PM -0000, Adrian Marsh wrote:
I've diagnosed this issue. The user has a "£" (UK Pound) in his password. Remove it and everything authenticates OK.
"£" is not a 7-bit character. You therefore run into problems with character sets.
Almost everything in LDAP is defined to use UTF-8, but passwords have always been Octet Strings (1) The effect of this is that passwords can contain absolutely anything and it is the client system's problem to be consistent about the character set. That does not work in the general case, as there are probably lots of client systems for each LDAP server and they could all be using different character sets.
Thus your user's "£" character will translate into a different sequence of bytes if the client is using UTF-8 from the sequence you would see from an ISO-8859-1 client.
The only safe solution for most systems at the moment is to ban non-ASCII (7-bit) characters in passwords :-(
(1): The latest LDAP spec introduced pwprep to solve this problem, but hardly anything implements it yet. It will be many years before you can depend on common LDAP clients doing itproperly.
Andrew