So yesterday I found myself in an unfortunate situation–I had just spent several days doing a significant revamp and cleanup of a clients LDAP tree (to better support multiple-domain email handling, mostly, but it had accumulated several years of cruft) when the client called me in a tizzy because their WebDAV access–necessary to modify a number of their websites–had stopped working.
Well, it turns out that Adobe GoLive! URI-encodes any (presumably, I didn’t check) non-alphabetic characters in the username it sends over for authentication. But these usernames aren’t decoded before they’re handed to mod-auth-ldap, so the lookup fails because there is no record for ‘foo%40example.com’.
If I were dealing with traditional vendors here, I expect I would have spent quite some time on the phone as everyone involved pointed fingers at one another–the web server vendor saying that GoLive! shouldn’t URI-encode the usernames, Adobe saying that the web server should decode them, the web server saying that the LDAP server should know how to decode them, etc., etc. Round and round.
But I’m not dealing with traditional vendors (at least, not on the server side), I’m dealing with Free Software. Which means I was able to download the source to mod-auth-ldap and add the following patch:
bc.. — libapache-auth-ldap-1.6.0.orig/auth_ldap.c
+++ libapache-auth-ldap-1.6.0/auth_ldap.c
@@ -404,7 +405,12 @@
LDAP filter metachars are escaped.
*/
filtbuf_end = filtbuf + FILTER_LENGTH – 1;
– for (p = r->connection->user, q=filtbuf + strlen(filtbuf);
+
+ /* fscking Go Live uri-encodes the usernames, which screws up lookups */
+ char *decoded_user = ap_pstrdup (r->pool, r->connection->user);
+ ap_unescape_url (decoded_user);
+
+ for (p = decoded_user, q=filtbuf + strlen(filtbuf);
*p && q < filtbuf_end; *q++ = *p++) {
if (strchr("*()\\", *p) != NULL) {
*q++ = '\\';
p. And everything works just fine, thanks.