RSS feed

Re: Support for Base64 encoded values

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Support for Base64 encoded values

So I’ve changed the “validnames” config option to a very liberal regex:

validnames /^.*$/i

(By the way if anyone can suggest an alternative to the default regex that
also takes into account unicode letters and numbers, it would be much

And now I can see the LDAP usernames with “getent passwd”.

Unfortunately I still cannot login using samba, for example.

After a run with maximum log details I can see that the value stored in
LDAP is jos\00\e9 (I.e., the ISO-8859-1 equivalent e-acute single rune),
and that the client is sending jose\03\01 (I.e., letter e followed by an
acute accent).

Coincidentally, this is the very example that the golang guys use to
explain unicode normalization:

“There are often several ways to represent the same string. For example,
an é (e-acute) can be represented in a string as a single rune ("\u00e9")
or an 'e' followed by an acute accent ("e\u0301"). According to the
Unicode standard, these two are "canonically equivalent" and should be
treated as equal.

Using a byte-to-byte comparison to determine equality would clearly not
give the right result for these two strings. Unicode defines a set of
normal forms such that if two strings are canonically equivalent and are
normalized to the same normal form, their byte representations are the


In other words, it seems to me that there is a non unicode-compliant
string comparison going on somewhere in the authentication stack.

Does nss-pam-ldap perform any such comparisons internally?


On 13/06/17 03:29, "Arthur de Jong" <> wrote:

>On Mon, 2017-06-12 at 15:37 +0000, Ricardo Padilha wrote:
>> For example, instead of:
>> uid: josé
>> I need to provide:
>> uid:: am9zw6k=
>This is actually base64 encoding of an UTF-8 encoded string. The base64
>encoding should only be present in the LDIF file, the LDAP directory
>should store the raw UTF-8 string and this is also what nslcd should
>> Unfortunately, when I use "getent passwd" to check that my unicode
>> uids are in the system, I only get back the non-unicode ones.
>> Does nss-pam-ldap support base64 encoded fields? If so, how do I
>> configure it?
>I'm not sure if unix user names are supposed to contain non-ASCII-7
>characters. By default nslcd will do some extra validation of user
>names to filter out potentially problematic entries. You can configure
>this with the validnames option in nslcd.conf.
>The use of UTF-8 in the common name should be fine but I've never tried
>it with the username. This does mean that users will also have to log
>in with accented characters and I'm not sure all applications support
>Hope this helps,
>-- arthur - - --

To unsubscribe send an email to or see