RE: LDAP Authentication with Umlauts

[Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx>]

On tor, 2008-07-03 at 12:39 +0200, enrico.hoyme@xxxxxxxxxxxxxxxx wrote:
> Hi,
> 
> I also had problems with umlauts. We use our Lotus Domino Server as LDAP 
> server and since an update from version 6.5 to 8, our users are unable to 
> authenticate via IE or Firefox if their password contains umlauts.
> We are running squid on BSD and Linux and on both system you are able to 
> authenticate using squid_ldap_auth on command line.
> I figured out that if you use the command line (set to utf-8) the utf-8 
> code will be send and if you try to use IE or Firefox the ASCII code will 
> be send.
> So I wrote a small work around by adding a new function 
> rfc1738_unescape_with_utf to squid_ldap_auth.c. The base content is the 
> original function rfc1738_unescape, but I added a switch statement to 
> change the character representation from ascii to utf-8 (see code for 
> german special chars below).

Can you try the attached patch instead? It tries to address the problem
in a generic manner.

Regards
Henrik

Index: helpers/basic_auth/LDAP/squid_ldap_auth.c
===================================================================
RCS file: /cvsroot/squid/squid/helpers/basic_auth/LDAP/squid_ldap_auth.c,v
retrieving revision 1.35
diff -u -p -r1.35 squid_ldap_auth.c
--- helpers/basic_auth/LDAP/squid_ldap_auth.c	27 Aug 2007 14:52:51 -0000	1.35
+++ helpers/basic_auth/LDAP/squid_ldap_auth.c	4 Jul 2008 08:29:16 -0000
@@ -608,24 +608,37 @@ static int
 ldap_escape_value(char *escaped, int size, const char *src)
 {
     int n = 0;
-    while (size > 4 && *src) {
-	switch (*src) {
+    unsigned char ch;
+    while (size > 1 && (ch = (unsigned char) *src++) != 0) {
+	switch (ch) {
 	case '*':
 	case '(':
 	case ')':
 	case '\\':
+	    if (size < 4)
+		break;
 	    n += 3;
 	    size -= 3;
 	    if (size > 0) {
-		*escaped++ = '\\';
-		snprintf(escaped, 3, "%02x", (unsigned char) *src++);
-		escaped += 2;
+		snprintf(escaped, 4, "\\%02x", ch);
+		escaped += 3;
 	    }
 	    break;
 	default:
-	    *escaped++ = *src++;
-	    n++;
-	    size--;
+	    if (ch < 0x80) {
+		*escaped++ = ch;
+		n++;
+		size--;
+	    } else {
+		if (size < 7)
+		    break;
+		snprintf(escaped, 7, "\\%02x\\%02x",
+		    (ch >> 6) | 0xc0,
+		    (ch & 0x3f) | 0x80);
+		escaped += 6;
+		n += 6;
+		size -= 6;
+	    }
 	}
     }
     *escaped = '\0';
@@ -656,7 +669,7 @@ checkLDAP(LDAP * persistent_ld, const ch
 	LDAPMessage *res = NULL;
 	LDAPMessage *entry;
 	char *searchattr[] =
-	{(char *)LDAP_NO_ATTRS, NULL};
+	{(char *) LDAP_NO_ATTRS, NULL};
 	char *userdn;
 	int rc;
 	LDAP *search_ld = persistent_ld;
Index: helpers/digest_auth/ldap/ldap_backend.c
===================================================================
RCS file: /cvsroot/squid/squid/helpers/digest_auth/ldap/ldap_backend.c,v
retrieving revision 1.6
diff -u -p -r1.6 ldap_backend.c
--- helpers/digest_auth/ldap/ldap_backend.c	13 Aug 2007 09:20:13 -0000	1.6
+++ helpers/digest_auth/ldap/ldap_backend.c	4 Jul 2008 08:29:16 -0000
@@ -160,24 +160,37 @@ static int
 ldap_escape_value(char *escaped, int size, const char *src)
 {
     int n = 0;
-    while (size > 4 && *src) {
-	switch (*src) {
+    unsigned char ch;
+    while (size > 1 && (ch = (unsigned char) *src++) != 0) {
+	switch (ch) {
 	case '*':
 	case '(':
 	case ')':
 	case '\\':
+	    if (size < 4)
+		break;
 	    n += 3;
 	    size -= 3;
 	    if (size > 0) {
-		*escaped++ = '\\';
-		snprintf(escaped, 3, "%02x", (int) *src++);
-		escaped += 2;
+		snprintf(escaped, 4, "\\%02x", ch);
+		escaped += 3;
 	    }
 	    break;
 	default:
-	    *escaped++ = *src++;
-	    n++;
-	    size--;
+	    if (ch < 0x80) {
+		*escaped++ = ch;
+		n++;
+		size--;
+	    } else {
+		if (size < 7)
+		    break;
+		snprintf(escaped, 7, "\\%02x\\%02x",
+		    (ch >> 6) | 0xc0,
+		    (ch & 0x3f) | 0x80);
+		escaped += 6;
+		n += 6;
+		size -= 6;
+	    }
 	}
     }
     *escaped = '\0';
Index: helpers/external_acl/ldap_group/squid_ldap_group.c
===================================================================
RCS file: /cvsroot/squid/squid/helpers/external_acl/ldap_group/squid_ldap_group.c,v
retrieving revision 1.16
diff -u -p -r1.16 squid_ldap_group.c
--- helpers/external_acl/ldap_group/squid_ldap_group.c	18 Mar 2008 02:44:56 -0000	1.16
+++ helpers/external_acl/ldap_group/squid_ldap_group.c	4 Jul 2008 08:29:16 -0000
@@ -608,24 +608,37 @@ static int
 ldap_escape_value(char *escaped, int size, const char *src)
 {
     int n = 0;
-    while (size > 4 && *src) {
-	switch (*src) {
+    unsigned char ch;
+    while (size > 1 && (ch = (unsigned char) *src++) != 0) {
+	switch (ch) {
 	case '*':
 	case '(':
 	case ')':
 	case '\\':
+	    if (size < 4)
+		break;
 	    n += 3;
 	    size -= 3;
 	    if (size > 0) {
-		*escaped++ = '\\';
-		snprintf(escaped, 3, "%02x", (unsigned char) *src++);
-		escaped += 2;
+		snprintf(escaped, 4, "\\%02x", ch);
+		escaped += 3;
 	    }
 	    break;
 	default:
-	    *escaped++ = *src++;
-	    n++;
-	    size--;
+	    if (ch < 0x80) {
+		*escaped++ = ch;
+		n++;
+		size--;
+	    } else {
+		if (size < 7)
+		    break;
+		snprintf(escaped, 7, "\\%02x\\%02x",
+		    (ch >> 6) | 0xc0,
+		    (ch & 0x3f) | 0x80);
+		escaped += 6;
+		n += 6;
+		size -= 6;
+	    }
 	}
     }
     *escaped = '\0';

Attachment: signature.asc
Description: This is a digitally signed message part