On Tue, Nov 18, 2008 at 02:57:16PM +0100, Hallvard B Furuseth wrote:
Andrew Findlay writes:
(1): The latest LDAP spec introduced pwprep to solve this problem,
I meant SASLprep - RFC4013
but hardly anything implements it yet. It will be many years before you can depend on common LDAP clients doing itproperly.
It's not just a client-side issue. Most sites store a password hash in their server rather than the cleartext password. That means the client needs to encode password with the same character encoding and preparation as whatever hashed the server-side password. (E.g. the
Ideally password hashing should always be done by the server to avoid risks like that. It is not always possible though :-(
/etc/passwd program.) Or the server needs to prepare cleartext passwords it receives from the client the same way, but it's likely a bad idea for the server to e.g. assume client passwords are latin-1 and convert to UTF-8.
A very bad idea indeed! The server has no way to know what character set the client is using. That is why SASLprep has to be applied at the client end.
Andrew