Hi Andrew,
Thanks for that explanation. I'm not 100% sure of which route to take. Now we're aware of the issue we can look for it in future. Our password policy doesn't enforce special characters, but doesn't ban them either, so we may re-think this for the future.
Adrian
-----Original Message----- From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk] Sent: 17 November 2008 20:29 To: Adrian Marsh Cc: openldap-technical@openldap.org Subject: Re: Debugging a user authentication
On Fri, Nov 14, 2008 at 02:49:16PM -0000, Adrian Marsh wrote:
I've diagnosed this issue. The user has a "£" (UK Pound) in his password. Remove it and everything authenticates OK.
"£" is not a 7-bit character. You therefore run into problems with character sets.
Almost everything in LDAP is defined to use UTF-8, but passwords have always been Octet Strings (1) The effect of this is that passwords can contain absolutely anything and it is the client system's problem to be consistent about the character set. That does not work in the general case, as there are probably lots of client systems for each LDAP server and they could all be using different character sets.
Thus your user's "£" character will translate into a different sequence of bytes if the client is using UTF-8 from the sequence you would see from an ISO-8859-1 client.
The only safe solution for most systems at the moment is to ban non-ASCII (7-bit) characters in passwords :-(
(1): The latest LDAP spec introduced pwprep to solve this problem, but hardly anything implements it yet. It will be many years before you can depend on common LDAP clients doing itproperly.
Andrew