[Product-Developers] LDAPMultiPlugins developers: please read this - possible localization problem

Alberto Lopes alberto at alopes.com
Sat Aug 23 04:58:04 UTC 2008


Dear fellas,

I had a really cr*ppy week because of this problem, so I'd like to report
this (I couldn't find the issue track on PloneLDAP page, so I put this here)
for others to help me understand what happened and maybe we can all work on
improving the related products.

I think you might have read my post 
http://n2.nabble.com/URGENT%3A-Unicode-show-stopper-tp675858p675858.html
"URGENT:Unicode show stopper"  in the General Questions forum. In that post,
I reported a problem which seemed to have something to do with encoding to
my region. FYI, I am running a Portuguese Plone site, in a pt-br locale.

Point is, I notice that the problem of UnicodeDecodeErrors seemed definitely
tied to the user that was accessing the Plone site (some users always got
the errors, and the other users never got the error). So in one line of
investigation, I tried to establish what was the difference between the
users.

It seemed that the affected users had at least one group with accented
characters in the group DN, and the unaffected users had groups only with
"regular" (i.e.  ascii compatible) characters.

I started to experiment a little on the LDAP Schema and Configure tabs of
the AD Plugin in ZMI, and noticed that if I removed the memberOf mapping, a
different error would occur.

After a few experiments (which I am not 100% what - that's the beauty of
backing up before messing everything with experiments :-D), I got an error
message at the getGroupsForPrincipal method in the
ActiveDirectoryMultiPlugin module; so I decided to check it out.

I haven't studied the code for the product (neither Plone code for that
matter), so I started guessing (and that's why I would like to hear from
Wichert or some other people who worked on this product, if I am making the
correct guesses). I saw this:

        cns = [ x.split(',')[0] for x in (ldap_user.memberOf or []) ]

Which seemed to me like a string splitting thing. Seems like we are getting
the memberOf collection (which is a single string for what I get) and
splitting it using the comma as the separator to produce a list of cns.

If I am correct, that would not work correctly, because the list separator
in our AD is the semicolon (;). Most Windows instalations in Portuguese use
the semicolon for list separation because the comma is our decimal separator
and the point is actually our thousands separator. Also, the memberOf string
returned by AD used semicolon to separate the group DNs, and comma to
separate the DN elements. Here is what a memberOf string looks like in our
installation (the example is for a user with two groups - I changed the
letters and digits for confidentiality issues):

CN=Alfa_QWE,OU=Zxcvb,OU=QW11,DC=qw11,DC=asd;CN=ZXCV66_POIUYT_LKJHG_QAZXSWE,OU=Zxcvb,OU=QW11,DC=qw11,DC=asd

I thought that my guess would explain why the unicode errors: the users with
strange chars in the DNs would probably get the name value pairs messed up
and the value of a pair would be incorrectly used as a name. That would make
Plone try to look for some users' group using the non-ascii part as a
identifier or something.

So, I changed the x.split(',') for x.split(';') in the file and everything
worked.

But one thing that I can't understand is why the problem suddenly appeared
after some weeks of working a 100% fine site. Maybe some user inserted some
non ascii char in a content type short name ? I dunno.

Please notice that I am not here to report a solution for the problem. I am
trying to validate my reasoning. If there is something correct in my
guesswork, I might be contributing for the improvement of the LDAP product.
If I am wrong, I would appreciate anyone to point my mistake because that
case means I tried to fix something but might have broken something else.
After all, I can't test extensively my fix now - not many users working at
Friday 8:30PM.

Well, anyway I would appreciate any comment on my message.

Have a nice weekend you all,

Alberto
-- 
View this message in context: http://n2.nabble.com/LDAPMultiPlugins-developers%3A-please-read-this---possible-localization-problem-tp777592p777592.html
Sent from the Product Developers mailing list archive at Nabble.com.





More information about the Product-Developers mailing list