[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: userPassword and non-ASCII characters
If the application knows the password is textual, it should
1) trancode the string to Unicode, 2) prepare the string for
matching (by the octetStringMatch rule), 3) and encode using
UTF-8. To prepare the string, minimally normalize the
string to Form KC. Presently, the IETF is considering
recommending that the SASLprep algorithm here. See
draft-ietf-sasl-saslprep-xx.txt for details (available
at http://www.ietf.org/).
Kurt
At 06:29 AM 5/21/2003, Peter Marschall wrote:
>Hi,
>
>How should I encoded strings containing non-ASCII characters
>that I want to store in the userPassword attribute.
>I have searched the RFCs but I have not found whether I have
>to encode the value in UTF-8 before stroing it in the value or not.
>
>If I do not encode it in UTF-8 I may end up with another password
>when sitting on a keyboard with another locale.
>If I do, does it conform to the octetString syntax ?
>
>Or shall I store / request it using the ;binary option ?
>
>
>Speaking of the ;binary option:
>RFC2251 states:
>
>4.3.1 Binary Transfer of Values
>
> This encoding format is used if the binary encoding is requested by
> the client for an attribute, or if the attribute syntax name is
> "1.3.6.1.4.1.1466.115.121.1.5". The contents of the LDAP
> AttributeValue or AssertionValue field is a BER-encoded instance of
> the attribute value or a matching rule assertion value ASN.1 data
> type as defined for use with X.500. (The first byte inside the OCTET
> STRING wrapper is a tag octet. However, the OCTET STRING is still
> encoded in primitive form.)
>
> All servers MUST implement this form for both generating attribute
> values in search responses, and parsing attribute values in add,
> compare and modify requests, if the attribute type is recognized and
> the attribute syntax name is that of Binary. Clients which request
> that all attributes be returned from entries MUST be prepared to
> receive values in binary (e.g. userCertificate;binary), and SHOULD
> NOT simply display binary or unrecognized values to users.
>
>Does this mean I am free to store and request any attribute either in
>its normal form or in binary and the server has to give it to me the
>way I want it ?
>
>Does that mean that the server has to UTF8-decode regular strings
>when binary transfer was requested ?
>
>Does OpenLDAP support it ?
>My tests with ldapsearch indicate it doesn't, but maybe I misunderstood it.
>
>Peter
>--
>Peter Marschall
>eMail: peter@adpm.de