UnicodeEncodeError WebUI login

AndreasKissling · June 6, 2017, 10:38am

Hello,

is there a known issue regarding login at web ui with an user containing additional/special characters over LDAP?

We have the problem with several users.

For example user andreas.kissling(Accountname) Andreas(Given name) Kißling (Surname) Andreas Kißling (Displayname)

[2017-05-29 08:41:01,452][12356][139833472313088][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:255] failed to check
password for ‘'CN=Andreas Ki\xdfling,OU=Benutzer,OU=,DC=,DC=local’
: UnicodeEncodeError(‘ascii’, u’CN=Andreas Ki\xdfling,OU=Benutzer,OU=,DC=**********,DC=local’, 13, 14,
‘ordinal not in range(128)’)

As you can see there’s a problem with the encoding that causes the CN to be Andreas Ki\xdfling instead of Andreas Kißling which results in failed authentifications

Changing the displayname and surname to Kissling works around that issue but we would like to know if that problem is already know and if you are working on a solution/considering to work an a solution

(another user has that problem with additional/special characters in his given name, “Björn” )

If not we have to replace all the additional/special characters in our domain

Many thanks in advance

Andreas Kißling

Jochen_Hein · June 6, 2017, 11:37am

\xdf is “ß” in Latin-1. Is there a reason to store non-Unicode characters in your LDAP?
Since a couple of years ago I think we really should migrate to unicode and be done with it.

If you do really need Latin-1 - maybe we can add conversions where needed - but there are lots of LDAP request potentially affected.

AndreasKissling · June 6, 2017, 1:46pm

Thanks for your answer and help,

I’ll have to talk to my coworkers and find out why we are using Latin-1 and come back later when I have more information.

Andreas Kißling

AndreasKissling · June 12, 2017, 7:41am

Hello again,

we worked around that problem by changing the Bind-Type (Configuration > User > *Select your resolver) to "NTLM"
since “Simple” compares the CN and in our domain there are users who have additional/special characters in their CNs where as “NTLM” compares “domainname\username” and we have no additional/special characters in usernames.

Thanks a lot for your help and advice

Andreas Kißling