question on ldap_escape_func in rlm_ldap.c

Qin Zhen qin.zhen at pacific.net.sg
Wed Dec 7 13:05:24 CET 2005


thanks for Nicolas's reply.
so in lastest version (1.0.5), a username 'jam\' will be converted into 
'jam\5c' and ldapsearch will be based on 'jam\5c' right? so this username is 
supposed not to be found in ldap in this case?
but how come in my server, the ldapsearch will base on 'jam' and those 
invalid charactors r just simply eliminated? scratching head...pls 
assist..thanks so much

----- Original Message ----- 
From: "Nicolas Baradakis" <nbk at sitadelle.com>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Wednesday, December 07, 2005 6:51 PM
Subject: Re: question on ldap_escape_func in rlm_ldap.c


> Qin Zhen wrote:
>
>> i couldn't figure out what does the change intend to do, is it to
>> filter out '*', '\\', '()' and '=' from username? and why should it
>> be in that way? please help me. thanks a lot in advance.
>
> The function ldap_escape_func() filters all LDAP-specific characters
> from RFC 2254. This prevents LDAP injection attacks.
>
> BTW there's a known bug in this function, you can get a fixed version
> here. (the patch will be included in next release)
>
> http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_ldap/rlm_ldap.c?rev=1.122.2.8
>
> -- 
> Nicolas Baradakis
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 




More information about the Freeradius-Users mailing list