Bug #2227
closedInternational / UTF-8 characters not working in LDAP configuration
100%
Description
While trying to configure pfSense to use an LDAP authentication server that use some (french) accentuated characters (é, à, è, etc.) in DNs, I discovered it doesn't work.
Steps to reproduce:
Create (or update) a new LDAP server configuration by using the following DN in "Search scope" or "Authentication containers" field:
ou=Recherche et Développement,dc=mycompany,dc=com
Actual result:
When saving "Authentication Servers" I get the notification-error:
[config.xml]pfSense is restoring the configuration /cf/conf/backup/config-1329926905.xml
System logs says:
Feb 22 18:00:15 php: /system_authservers.php: New alert found: pfSense is restoring the configuration /cf/conf/backup/config-1329926905.xml Feb 22 18:00:15 php: /system_authservers.php: pfSense is restoring the configuration /cf/conf/backup/config-1329926905.xml Feb 22 18:00:15 php: /system_authservers.php: XML error: Undeclared entity error at line 223 in /conf/config.xml
And the server configuration is not added/updated
Expected result:
LDAP server configuration created/updated without error
Additional notes:
Looking at /cf/conf/config.xml.bad
configuration file I see that the "é" was replaced by "é"
<pfsense> [...] <system> [...] <authserver> [...] <ldap_authcn>ou=Recherche et Développement</ldap_authcn> [...]
Maybe it has to do with the lack of specified encoding no encoding
attribute in )?
Maybe values should be placed in CDATA?: <ldap_authcn><![CDATA[ou=Recherche et Développement]]></ldap_authcn>
I ran into that issue by adding a LDAP server for authentication: but maybe the issue is more global?
Updated by Jim Pingle almost 13 years ago
Those characters are invalid to have in XML, and (as you see) must be CDATA escaped. However, not all fields are CDATA escaped in the config. Though we usually reject such characters in fields that are not protected, it seems this is one case we don't have that protection in place.
This will take changes in the backend to handle such characters in that field.
As a quick test, you could add ldap_authcn to the checks in /etc/inc/xmlparse.inc that handle CDATA fields (currently just descr and detail).
Updated by Claude Duvergier almost 13 years ago
I changed two lines of /etc/inc/xmlparse.inc
file:
} else if ((substr($ent, 0, 5) == "descr") || (substr($ent, 0, 6) == "detail")) {
if ((substr($ent, 0, 5) == "descr") || (substr($ent, 0, 6) == "detail"))
Changed into:
} else if (($ent == "ldap_authcn") || (substr($ent, 0, 5) == "descr") || (substr($ent, 0, 6) == "detail")) {
if (($ent == "ldap_authcn") || (substr($ent, 0, 5) == "descr") || (substr($ent, 0, 6) == "detail"))
And adding/updating server configuration with "é" character doesn't trigger any error: thanks :)
But when trying to authenticate with an LDAP-user from a container using the "é" (say ou=Recherche et Développement,dc=mycompany,dc=com) it fails and System logs says:
Feb 22 19:22:59 php: /index.php: webConfigurator authentication error for 'cduv' from 192.168.1.141 Feb 22 19:22:59 php: /index.php: webConfigurator authentication error for 'cduv' from 192.168.1.141 Feb 22 19:22:59 php: /index.php: ERROR! Either LDAP search failed, or multiple users were found. Feb 22 19:22:59 php: /index.php: Search resulted in error: Invalid DN syntax Feb 22 19:22:59 php: /index.php: Now Searching in server MyCompany, container ou=Recherche et Développement with filter (uid=cduv). Feb 22 19:22:59 php: /index.php: Now Searching in server MyCompany, container ou=Partenaires with filter (uid=cduv). Feb 22 19:22:58 php: /index.php: Now Searching in server MyCompany, container ou=Stagiaires with filter (uid=cduv). Feb 22 19:22:58 php: /index.php: Now Searching in server MyCompany, container ou=Commerciaux with filter (uid=cduv). Feb 22 19:22:58 php: /index.php: Now Searching for cduv in directory.
If I try with an other LDAP-user account from a container without any special character (say ou=Commerciaux,dc=mycompany,dc=com) it works just fine.
Looks like the "é" is causing problems in the code that handles LDAP search/binding.
Updated by Jim Pingle almost 13 years ago
Someone who knows more about LDAP will have to comment on that one. I just knew the XML bit. :-)
There may be a library or component somewhere underneath that doesn't have proper UTF-8 or related support, The "Invalid DN syntax" error does not come from our code, it is returned by PHP's ldap_error() function:
etc/inc/auth.inc: log_error(sprintf(gettext("Search resulted in error: %s"), ldap_error($ldap)));
You might give a 2.1 snapshot a try (http://iserv.nl/files/pfsense/releng83/) because those use PHP 5.3.x, you may be hitting a PHP 5.2.x issue.
Or it could need utf8_encode()/utf8_decode() somewhere before passing parameters to the LDAP functions.
Just a guess there though.
Updated by Claude Duvergier almost 13 years ago
It was indeed a missing utf8_encode():
I changed source:/etc/inc/auth.inc@184a6ceb#L1054 as following:
1054c1054
< $search = @$ldapfunc($ldap,$ldac_split,$ldapfilter);
---
> $search = @$ldapfunc($ldap,utf8_encode($ldac_split),$ldapfilter);
1056c1056
< $search = @$ldapfunc($ldap,"{$ldac_split},{$ldapbasedn}",$ldapfilter);
---
> $search = @$ldapfunc($ldap,utf8_encode("{$ldac_split},{$ldapbasedn}"),$ldapfilter);
And LDAP-based authentication is working just fine by now.
Updated by Jim Pingle over 11 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset a5cd1c5a4286062b84caf32df860f2e2f2e204aa.
Updated by Jim Pingle over 11 years ago
Applied in changeset 298020b2b6efa75c863bafef9a078c285a2b9ed6.