Re: Support for Base64 encoded values
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Support for Base64 encoded values
- From: Ricardo Padilha <rpadilha [at] drobo.com>
- To: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: Support for Base64 encoded values
- Date: Thu, 15 Jun 2017 17:22:38 +0000
So I’ve changed the “validnames” config option to a very liberal regex:
validnames /^.*$/i
(By the way if anyone can suggest an alternative to the default regex that
also takes into account unicode letters and numbers, it would be much
appreciated.)
And now I can see the LDAP usernames with “getent passwd”.
Unfortunately I still cannot login using samba, for example.
After a run with maximum log details I can see that the value stored in
LDAP is jos\00\e9 (I.e., the ISO-8859-1 equivalent e-acute single rune),
and that the client is sending jose\03\01 (I.e., letter e followed by an
acute accent).
Coincidentally, this is the very example that the golang guys use to
explain unicode normalization:
“There are often several ways to represent the same string. For example,
an é (e-acute) can be represented in a string as a single rune ("\u00e9")
or an 'e' followed by an acute accent ("e\u0301"). According to the
Unicode standard, these two are "canonically equivalent" and should be
treated as equal.
Using a byte-to-byte comparison to determine equality would clearly not
give the right result for these two strings. Unicode defines a set of
normal forms such that if two strings are canonically equivalent and are
normalized to the same normal form, their byte representations are the
same.”
Source: https://blog.golang.org/normalization
In other words, it seems to me that there is a non unicode-compliant
string comparison going on somewhere in the authentication stack.
Does nss-pam-ldap perform any such comparisons internally?
Cheers,
Ricardo
On 13/06/17 03:29, "Arthur de Jong" <arthur@arthurdejong.org> wrote:
>On Mon, 2017-06-12 at 15:37 +0000, Ricardo Padilha wrote:
>> For example, instead of:
>>
>> uid: josé
>>
>> I need to provide:
>>
>> uid:: am9zw6k=
>
>This is actually base64 encoding of an UTF-8 encoded string. The base64
>encoding should only be present in the LDIF file, the LDAP directory
>should store the raw UTF-8 string and this is also what nslcd should
>receive.
>
>> Unfortunately, when I use "getent passwd" to check that my unicode
>> uids are in the system, I only get back the non-unicode ones.
>>
>> Does nss-pam-ldap support base64 encoded fields? If so, how do I
>> configure it?
>
>I'm not sure if unix user names are supposed to contain non-ASCII-7
>characters. By default nslcd will do some extra validation of user
>names to filter out potentially problematic entries. You can configure
>this with the validnames option in nslcd.conf.
>
>The use of UTF-8 in the common name should be fine but I've never tried
>it with the username. This does mean that users will also have to log
>in with accented characters and I'm not sure all applications support
>that.
>
>Hope this helps,
>
>--
>-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/
