Users whose password contains the spanish accented "n" (ñ) are unable to authenticate in ldap.
1.- When the password comes synced from a Windows domain controller then it is hashed and the accented "n" replaced by its utf8 code. Windows pass: cañadelomo --> Sync'ed pass: ca\xf1adelomo
2.- When the password is changed directly on the 389ds ldap object, then the accented "n" is deleted from the phrase. Changed pass: cañadelomo --> Efective pass: caadelomo
In both cases, the 7bit-check plugin was deactivated on the ldap server. Tried in 389ds versions 1.2.9.9 and 1.2.10
set default ticket origin to Community
Added initial screened field value.
Bug description: Passhook plugin used to store the password in the intermediate file passhook.dat using _snprintf which just converts wchar in ascii to char without considering the non- ascii characters.
Fix description: Instead of using _snprintf, WideCharToMultiByte is called to convert the Microsoft internal character set to UTF-8, which is valid in LDAP.
Also, in SyncPasswords (PassSync), it adds LDAP_INAPPROPRIATE_ AUTH to the condition to send the password change on Windows to the Directory server. Bind returns LDAP_INAPPROPRIATE_AUTH, when a password is not in the entry for SIMPLE auth. PassSync should be able to send the password for the case, as well.
git patch file (master) 0001-Ticket-363-Passsync-Winsync-handles-passwords-with-8.patch
Reviewed by Rich (Thanks!!)
Pushed to master: commit 130cb2003ebdfe04b3bc2794a250acc8540fd8b3
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=963836
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: passsync 1.1.5
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/363
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Log in to comment on this ticket.