password quoting problem
I'm the phpwiki developer.
Our company uses a Sun LDAP DS, and so far > 1000 users can successfully login in my php-4 app.
But from time to time I get login failures reported, which seem to be related to quoting of some special characters.
I've read in some LDAP protocol description that certain characters may not be transported verbatim and must be quoted, such as:
// LDAP allows all chars but *, (, ), \, NUL
// Quoting is done by \xx (two-digit hexcode). * <=> \2a
// Handling '?' is unspecified
$password = strtr($submitted_password,
array("*" => "\\2a",
"?" => "\\3f",
"(" => "\\28",
")" => "\\29",
"\\" => "\\5c",
"\0" => "\\00"));
However this quoting will fail for some of my users with * in their password.
2 Questions:
Does the php layer in ldap_bind() already quote that for me?
Does the Sun DS not understand those \xx chars and should I use the verbatim chars instead?
# 1
Hi,
There are several places in the LDAP standards where special characters need to be escaped, and they are not all escaped identically...
The first thing is that non ascii characters should be represented in UTF-8.
This is valid for all attribute values.
When LDAP entries are represented in LDIF (text format) the non-ascii and special characters makes the whole value to be base64 encoded.
Distinguished Names (see RFC 4514) do escape specific characters ('"', '+', ',', ';', '<', '>', or '\' among others) with a \.
LDAPv3 search filters do need to be escaped as well in their TEXTUAL forms.
(cn=\2a) means searching for cn values that are strings containing the single start '*' character.
So the code you are displaying here is for Filter escaping.
Passwords are treated by Directory Server as an octet string (per LDAPv3 specification).
However, because the Directory Server cannot know which character set is used on the user terminal that is typing the password, RFC 4511 (section 4.2) specify that clients should transcode textual password to UTF-8.
<quote>
Textual passwords (consisting of a character sequence with a known
character set and encoding) transferred to the server using the
simple AuthenticationChoice SHALL be transferred as UTF-8 [RFC3629]
encoded [Unicode]. Prior to transfer, clients SHOULD prepare text
passwords as "query" strings by applying the SASLprep [RFC4013]
profile of the stringprep [RFC3454] algorithm. Passwords
consisting of other data (such as random octets) MUST NOT be
altered. The determination of whether a password is textual is a
local client matter.
</quote>
This must be consistent for ALL applications, otherwise some will still fail to authenticate the users.
Alternately, you can restrict the passwords to ascii characters (7 bits) for all users.
Regards,
Ludovic.
