Bug #57790 for RT-Authen-ExternalAuth: LDAP password utf encoding

Sun May 23 19:16:34 2010 kammerer [...] and.at - Ticket created

Subject:	LDAP password utf encoding
Date:	Sun, 23 May 2010 22:58:13 +0200
To:	"'bug-RT-Authen-ExternalAuth [...] rt.cpan.org'" <bug-RT-Authen-ExternalAuth [...] rt.cpan.org>
From:	"AnD-Institut (Andreas Kammerer)" <kammerer [...] and.at>

Hi! I had some problems using ldap-login with special characters in passwords (in my case, a ! was in it) against Active Directory (Windows Server 2008 R2). I found that you have to utf8 encode the password. My changes to LDAP.pm around line 79. # THIS bind determines success or failure on the password. my $encpass = $password; utf8::encode($encpass); $ldap_msg = $ldap->bind($ldap_dn, password => $encpass); Maybe thats useful also for others. By the way: Great work! Very readable code, also for a perl newbe like me ;) Greetings from Austria, Andreas Kammerer, CMC Geschäftsführer kammerer@and.at - www.and.at Tel.: +43 7276/4282 101 - Fax: +43 7276/4282 99 Absender dieses Mails ist das AnD-Institut Inh. Andreas Kammerer, Rossanger 7, AT-4722 Peuerbach, Gerichtsstand ist AT-4722 Peuerbach. Wenn Sie keine eMails mehr von uns erhalten möchten, antworten Sie bitte auf dieses Mail mit "UNSUBSCRIBE" im Betreff.

Mon May 24 16:57:43 2010 kevin [...] jibsheet.com - Correspondence added

Subject:	Re: [rt.cpan.org #57790] LDAP password utf encoding
Date:	Mon, 24 May 2010 16:57:30 -0400
To:	AnD-Institut via RT <bug-RT-Authen-ExternalAuth [...] rt.cpan.org>
From:	Kevin Falcone <kevin [...] jibsheet.com>

On Sun, May 23, 2010 at 07:16:39PM -0400, AnD-Institut via RT wrote: Show quoted text

> > I had some problems using ldap-login with special characters in > passwords (in my case, a ! was in it) against Active Directory > (Windows Server 2008 R2). I found that you have to utf8 encode the > password. My changes to LDAP.pm around line 79. > > # THIS bind determines success or failure on the password. > my $encpass = $password; > utf8::encode($encpass); > $ldap_msg = $ldap->bind($ldap_dn, password => $encpass); > > Maybe thats useful also for others.

Hi Andreas This is very interesting. Normally if utf8::encode() is required, something has gone horribly wrong along the way. It would be really interesting to see something like: use Devel::Peek; Dump($password); DUmper($encpass); for a password with/without ! (keep in mind that it'll show me your password, so obviously, use a tester). Thanks -kevin

Mon May 24 16:57:45 2010 The RT System itself - Status changed from 'new' to 'open'

Tue May 25 11:44:34 2010 kammerer [...] and.at - Correspondence added

Subject:	AW: [rt.cpan.org #57790] LDAP password utf encoding
Date:	Tue, 25 May 2010 17:36:12 +0200
To:	"bug-RT-Authen-ExternalAuth [...] rt.cpan.org" <bug-RT-Authen-ExternalAuth [...] rt.cpan.org>
From:	"AnD-Institut (Andreas Kammerer)" <kammerer [...] and.at>

Hi kevin! Wow - a magic Module ;) I inserted the Debug code and now everything works. Don’t ask me. I redirected the stderr to a string and put it in the log as I don’t know where I find the output by default (shame on me). Result: May 25 16:11:04 s11-rt RT: My_LDAP DUMP: SV = PV(0xbff6b30) at 0xa2419b0#012 REFCNT = 1#012 FLAGS = (PADMY,POK,pPOK,UTF8)#012 PV = 0xbffaff0 "P@ssword!"\0 [UTF8 "P@ssword!"]#012 CUR = 9#012 LEN = 12 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:89) May 25 16:11:04 s11-rt RT: My_LDAP DUMPenc: SV = PV(0xb3c8748) at 0xa242200#012 REFCNT = 1#012 FLAGS = (PADMY,POK,pPOK)#012 PV = 0xb485af8 "P@ssword!"\0#012 CUR = 9#012 LEN = 12 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:97) May 25 16:11:04 s11-rt RT: LDAP password validation result: 1 ...just for fun I reseted the login from $encpass to $password and guess what - it works. I tried to login with my account - works also. I removed all my code-changes completely - it works. I swear it didn’t - I tried two long nights... Be it as it is - forget it and sorry for the Post. Show quoted text

____________________________________________ Andreas Kammerer, CMC AnD-Institut www.and.at +43 7276 4282 0

Tue May 25 17:05:46 2010 kevin [...] jibsheet.com - Correspondence added

Subject:	Re: [rt.cpan.org #57790] LDAP password utf encoding
Date:	Tue, 25 May 2010 17:05:24 -0400
To:	AnD-Institut via RT <bug-RT-Authen-ExternalAuth [...] rt.cpan.org>
From:	Kevin Falcone <kevin [...] jibsheet.com>

On Tue, May 25, 2010 at 11:44:35AM -0400, AnD-Institut via RT wrote: Show quoted text

> > Wow - a magic Module ;) I inserted the Debug code and now everything works. Don’t ask me.

That is really weird. It sounds like there may have been some other character in your password causing issues (or a webserver issue). Usually when utfe::encode is used, it means someone broke the utf8 character/byte rules somewhere, but that code *should* be clean of that. I'm also glad to see that P@ssword worked for you, because some other people have run into @ in a password causing issues. -kevin Show quoted text

> I redirected the stderr to a string and put it in the log as I don’t know where I find the output by default (shame on me). Result: > > May 25 16:11:04 s11-rt RT: My_LDAP DUMP: > SV = PV(0xbff6b30) at 0xa2419b0#012 REFCNT = 1#012 FLAGS = (PADMY,POK,pPOK,UTF8)#012 PV = 0xbffaff0 "P@ssword!"\0 [UTF8 "P@ssword!"]#012 CUR = 9#012 LEN = 12 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:89) > May 25 16:11:04 s11-rt RT: My_LDAP DUMPenc: > SV = PV(0xb3c8748) at 0xa242200#012 REFCNT = 1#012 FLAGS = (PADMY,POK,pPOK)#012 PV = 0xb485af8 "P@ssword!"\0#012 CUR = 9#012 LEN = 12 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:97) > May 25 16:11:04 s11-rt RT: LDAP password validation result: 1 > > ...just for fun I reseted the login from $encpass to $password and guess what - it works. I tried to login with my account - works also. I removed all my code-changes completely - it works. I swear it didn’t - I tried two long nights... > > Be it as it is - forget it and sorry for the Post.

Mon Sep 19 15:03:46 2011 cpan [...] jibsheet.com - Status changed from 'open' to 'resolved'