pfSense

Those characters are invalid to have in XML, and (as you see) must be CDATA escaped. However, not all fields are CDATA escaped in the config. Though we usually reject such characters in fields that are not protected, it seems this is one case we don't have that protection in place.

This will take changes in the backend to handle such characters in that field.

As a quick test, you could add ldap_authcn to the checks in /etc/inc/xmlparse.inc that handle CDATA fields (currently just descr and detail).

I changed two lines of /etc/inc/xmlparse.inc file:

} else if ((substr($ent, 0, 5) == "descr") || (substr($ent, 0, 6) == "detail")) {

if ((substr($ent, 0, 5) == "descr") || (substr($ent, 0, 6) == "detail"))

Changed into:

} else if (($ent == "ldap_authcn") || (substr($ent, 0, 5) == "descr") || (substr($ent, 0, 6) == "detail")) {

if (($ent == "ldap_authcn") || (substr($ent, 0, 5) == "descr") || (substr($ent, 0, 6) == "detail"))

And adding/updating server configuration with "é" character doesn't trigger any error: thanks :)

But when trying to authenticate with an LDAP-user from a container using the "é" (say ou=Recherche et Développement,dc=mycompany,dc=com) it fails and System logs says:

Feb 22 19:22:59     php: /index.php: webConfigurator authentication error for 'cduv' from 192.168.1.141
Feb 22 19:22:59     php: /index.php: webConfigurator authentication error for 'cduv' from 192.168.1.141
Feb 22 19:22:59     php: /index.php: ERROR! Either LDAP search failed, or multiple users were found.
Feb 22 19:22:59     php: /index.php: Search resulted in error: Invalid DN syntax
Feb 22 19:22:59     php: /index.php: Now Searching in server MyCompany, container ou=Recherche et Développement with filter (uid=cduv).
Feb 22 19:22:59     php: /index.php: Now Searching in server MyCompany, container ou=Partenaires with filter (uid=cduv).
Feb 22 19:22:58     php: /index.php: Now Searching in server MyCompany, container ou=Stagiaires with filter (uid=cduv).
Feb 22 19:22:58     php: /index.php: Now Searching in server MyCompany, container ou=Commerciaux with filter (uid=cduv).
Feb 22 19:22:58     php: /index.php: Now Searching for cduv in directory.

If I try with an other LDAP-user account from a container without any special character (say ou=Commerciaux,dc=mycompany,dc=com) it works just fine.

Looks like the "é" is causing problems in the code that handles LDAP search/binding.

Someone who knows more about LDAP will have to comment on that one. I just knew the XML bit. :-)

There may be a library or component somewhere underneath that doesn't have proper UTF-8 or related support, The "Invalid DN syntax" error does not come from our code, it is returned by PHP's ldap_error() function:

etc/inc/auth.inc: log_error(sprintf(gettext("Search resulted in error: %s"), ldap_error($ldap)));

You might give a 2.1 snapshot a try (http://iserv.nl/files/pfsense/releng83/) because those use PHP 5.3.x, you may be hitting a PHP 5.2.x issue.

Or it could need utf8_encode()/utf8_decode() somewhere before passing parameters to the LDAP functions.

Just a guess there though.

It was indeed a missing utf8_encode():

I changed source:/etc/inc/auth.inc@184a6ceb#L1054 as following:

1054c1054
<             $search     = @$ldapfunc($ldap,$ldac_split,$ldapfilter);
---
>             $search     = @$ldapfunc($ldap,utf8_encode($ldac_split),$ldapfilter);
1056c1056
<             $search  = @$ldapfunc($ldap,"{$ldac_split},{$ldapbasedn}",$ldapfilter);
---
>             $search  = @$ldapfunc($ldap,utf8_encode("{$ldac_split},{$ldapbasedn}"),$ldapfilter);

Applied in changeset 298020b2b6efa75c863bafef9a078c285a2b9ed6.

I'm OK with changes: works fine.