| View previous topic :: View next topic |
| Author |
Message |
tof06
n00b
Joined: 20 Apr 2007
Posts: 7
Location: Sophia Antipolis, France
|
 Posted: Fri Apr 20, 2007 7:31 am Post subject: Apache2 / mod_ldap / Active Directory |
 |
|
Hello,
I am trying to set up a reverse authenticated proxy for an internal site
of my company.
The authentication is done agaisnt a Microsoft Active Directory (on Win 2K3)
Everything works almost fine, but I'm running into problem when users
has localized chars (ex french accentued letters) in their password. They are
rejected with an invalid password.
When I try to bind to ldap with a such user with ldapsearch command, if
the password is UTF-8 encoded, it's ok, if not, password is rejected
How can I tell apache to use UTF-8 when doing authentification, or to
convert the username/password to UTF-8 before binding to ldap ?
I try to set AddDefaultCharset to utf-8, but that doesn't help.
Thanks for any help you can provide. I've googled during 3 days without finding something equivalent 
System info :
| Code: |
Portage 2.1.2-r8 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.16-gentoo-r9 i686)
=================================================================
System uname: 2.6.16-gentoo-r9 i686 Pentium III (Coppermine)
Gentoo Base System release 1.12.9
Timestamp of tree: Wed, 28 Mar 2007 01:47:01 +0000
dev-lang/python: 2.3.6, 2.4.4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox: 1.2.18.1
sys-devel/autoconf: 2.13, 2.61
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.17
sys-devel/gcc-config: 1.3.14
sys-devel/libtool: 1.5.23b
virtual/os-headers: 2.6.20
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.tiscali.nl/ http://gentoo.inode.at/ http://mirror.ovh.net/gentoo-distfiles/ http://mirror.switch.ch/ftp/mirror/gentoo/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/"
LINGUAS="fr en"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.be.gentoo.org/gentoo-portage"
USE="acl acpi alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt dbus dri dvd dvdr eds emboss esd fam firefox fortran gdbm gif gpm gstreamer hal iconv ipv6 isdnlog jpeg kerberos ldap libg++ mad midi mikmod mp3 mpeg ncurses nls nptl nptlonly ntpl ogg oss pam pcre perl png ppds pppd python qt3 qt4 quotas readline reflection samba session spell spl ssl tcpd truetype truetype-fonts type1-fonts unicode vorbis win32codecs winbind x86 xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="fr en" USERLAND="GNU" VIDEO_CARDS="apm ark ati chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mga neomagic nsc nv rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
|
Apache version :
| Code: |
net-www/apache-2.0.59-r2 USE="apache2 ldap ssl -debug -doc -mpm-itk -mpm-leader -mpm-peruser -mpm-prefork -mpm-threadpool -mpm-worker (-selinux) -static-modules -threads"
|
|
|
| Back to top |
|
 |
n3bul4
Apprentice
Joined: 04 Nov 2003
Posts: 187
|
| Posted: Fri Apr 20, 2007 10:18 am Post subject: |
|
|
Hmmm have you followed this guide to enable UTF-8 support on your box?
http://www.gentoo.org/doc/en/utf-8.xml
post your locales.......
When did you set the unicode use flag variable?
before emerging apache or after it?
Have you tried to do a
|
|
| Back to top |
|
|
tof06
n00b
Joined: 20 Apr 2007
Posts: 7
Location: Sophia Antipolis, France
|
| Posted: Fri Apr 20, 2007 11:47 am Post subject: |
|
|
Thanks for your answer.
The unicode use flag were set when installing the server. So, apache, ldap, and every package were built with this flag on
Here's some information about locales :
| Code: |
milan ~ # locale -a
C
en_US
en_US.utf8
fr_FR
fr_FR@euro
fr_FR.utf8
POSIX
milan ~ # locale
LANG=fr_FR.UTF-8
LC_CTYPE="fr_FR.UTF-8"
LC_NUMERIC="fr_FR.UTF-8"
LC_TIME="fr_FR.UTF-8"
LC_COLLATE="fr_FR.UTF-8"
LC_MONETARY="fr_FR.UTF-8"
LC_MESSAGES="fr_FR.UTF-8"
LC_PAPER="fr_FR.UTF-8"
LC_NAME="fr_FR.UTF-8"
LC_ADDRESS="fr_FR.UTF-8"
LC_TELEPHONE="fr_FR.UTF-8"
LC_MEASUREMENT="fr_FR.UTF-8"
LC_IDENTIFICATION="fr_FR.UTF-8"
LC_ALL=
milan ~ # cat /etc/env.d/02locale
LANG="fr_FR.UTF-8"
|
I also tried, on another server with almost same config, to authenticate against OpenLdap.
I got the same problem with accents in password.
When I wget -S on the proxy, I got a "Content-Type: text/html; charset=iso8859-1" header. Wouldn't be the problem ?
| Code: |
HTTP/1.1 401 Authorization Required
Date: Fri, 20 Apr 2007 11:45:33 GMT
WWW-Authenticate: Basic realm="Intranet Ceram"
Content-Length: 475
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso8859-1
|
Thanks |
|
| Back to top |
|
|
n3bul4
Apprentice
Joined: 04 Nov 2003
Posts: 187
|
| Posted: Fri Apr 20, 2007 12:09 pm Post subject: |
|
|
Hmm I see....
I googled a bit around and found the following:
libapache-mod-encoding
Apache module for non-ascii filename interoperability
This module improves non-ascii filename interoperability of apache (and mod_dav).
It seems many WebDAV clients send filename in its platform-local encoding. But since mod_dav expects everything, even HTTP request line, to be in UTF-8, this causes an interoperability problem.
I believe this is a future issue for specification (RFC?) to standardize encoding used in HTTP request-line and HTTP header, but life would be much easier if mod_dav (and others) can handle various encodings sent by clients, TODAY. This module does just that.
I don't know if this will solve your problem but you told me that apache is expecting the username to be
utf-8 encoded.....maybe therefor this will work......but I am absolutely not sure.
I also don't know how the apache module is called under gentoo (libapache-mod-encoding) is debian / ubuntu...
It would be interesting to sniff a correct and an incorrect authentication as well I think.
Maybe than we could see the problem..... |
|
| Back to top |
|
|
tof06
n00b
Joined: 20 Apr 2007
Posts: 7
Location: Sophia Antipolis, France
|
| Posted: Fri Apr 20, 2007 2:17 pm Post subject: |
|
|
I didn't find anything about mod_encoding on gentoo. There used to be an ebuild in portage, but it has been removed.
I tried to compile it from source, I got some errors...
BTW, I tried to sniff LDAP packets. I can't sniff HTTP Packets, because it's https.
When I do a ldapsearch -D "mybinddn" -W , the password which is éric@1234 for testing is coded as this :
0x00a0: 433d 6672 800a c3a9 7269 6340 3132 3334 C=fr....ric@1234
(C=fr is the end of the Bind DN... )
When I tried to authenticate with apache (which doesn't work), here is the same portion of code :
0x00a0: 433d 6672 8009 e972 6963 4031 3233 34 C=fr...ric@1234
There's one byte less in the second form. I'm not an expert on network analysis, but I think the first different code (09 or 0a) represent the length of string (10 bytes for the working one, 9 for the second). E9 is the ISO Code for é, and, i believe, C3A9, the UTF-8 code ?? |
|
| Back to top |
|
|
n3bul4
Apprentice
Joined: 04 Nov 2003
Posts: 187
|
|
| Back to top |
|
|
tof06
n00b
Joined: 20 Apr 2007
Posts: 7
Location: Sophia Antipolis, France
|
| Posted: Mon Apr 23, 2007 8:50 am Post subject: |
|
|
Hello,
Thanks for your answers...
I installed apache 2.2, but there's no difference. Password is still iso encoded.
I sent a mail on apache user's mailing list about this... But I can't imagine this is a bug. I'm not the only guy who try to authenticate users against AD, and who has specials chars in their password 
I hope someone can help me...
Thanks again. |
|
| Back to top |
|
|
n3bul4
Apprentice
Joined: 04 Nov 2003
Posts: 187
|
| Posted: Wed Apr 25, 2007 9:15 am Post subject: |
|
|
Hmm yes you are right.....
Maybe there is a trick to do it......
Sry but I am out of ideas....... |
|
| Back to top |
|
|
n3bul4
Apprentice
Joined: 04 Nov 2003
Posts: 187
|
| Posted: Mon Apr 30, 2007 4:07 pm Post subject: |
|
|
Hiho!
Did you find a way to do it?
regards.... |
|
| Back to top |
|
|
tof06
n00b
Joined: 20 Apr 2007
Posts: 7
Location: Sophia Antipolis, France
|
| Posted: Mon Apr 30, 2007 4:10 pm Post subject: |
|
|
No
Nobody answer me on apache ML, and I sill don't get it working.
Regards |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
