Usernames containing a dot '.' are escaped with a backslash '\' in the BasicAuth header.

(Last modified: 10Feb2006)

This document (10097507) is provided subject to the disclaimer at the end of this document.

fact

iChain 2.3

Forward authentication information to web server

Basic Authentication

Object Level Access Control (OLAC)

LDAP Authentication

LDAP Login Method: Build distinguished name

symptom

Usernames containing a dot '.' are escaped with a backslash '\' in the BasicAuth header.

change

When using an LDAP Login Method of "Search on a single attribute" iChain does not escape the dot, but simply passes the unmodified username.

When using OLAC to specify the LDAP CN value for the ICHAIN_UID, the username is not escaped.

fix

This issue has been fixed and is included in iChain builds 2.3.295 and later.

note

A user has a username containing a dot '.' such as 'user.name'.

When an iChain accelerator is configured to forward authentication information to the web server, it does this by creating a Basic Authorization HTTP header which is injected into HTTP requests sent to the origin server.  The contents of the BasicAuth header is composed of the username (fully qualified LDAP DN) and password supplied when authenticating to iChain.

Prior to iChain 2.2 SP3, usernames containing a dot were forwarded unmodified.  For example: cn=user.name,ou=users,o=company

As of iChain 2.2 SP3 (continuing to iChain 2.3 SP3), usernames containing a dot are now escaped prior to inclusion in the BasicAuth header as follows: cn=user\.name,ou=users,o=company

Current workarounds for this behavior include the following:

  1. Use the LDAP Login Method of "Search on a single attribute" instead of "Build distinguished name".  In this configuration iChain does not escape the username.  (Using this method has different configuration requirements as search bases are specified instead of individual contexts.)
  2. Use OLAC to provide a different LDAP value for the ICHAIN_UID attribute.  For example, specifying an OLAC configuration where the LDAP CN value is used for the ICHAIN_UID attribute will cause the BasicAuth username to be forwarded as "user.name" with the password being that which was supplied during the initial iChain login.  (Using this method eliminates the possibility of having the full DN of the username passed in the BasicAuth header.)
  3. Upgrade to iChain build 2.3.295 or later.

document

Document Title: Usernames containing a dot '.' are escaped with a backslash '\' in the BasicAuth header.
Document ID: 10097507
Solution ID: NOVL101932
Creation Date: 27Apr2005
Modified Date: 10Feb2006
Novell Product Class:iChain

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.