question on ldap_escape_func in rlm_ldap.c

Nicolas Baradakis nbk at sitadelle.com
Wed Dec 7 16:21:16 CET 2005


Qin Zhen wrote:

> when i trys to login with username 'james*', ldap_escape_fun acctually
> converts it into 'james\2a\2a\2a\2a\2a\2a...', but the radius debug mode
> still shows
> Debug: rlm_ldap:performing search in dc=sg, o=company, with filter
> (&objectclass=radiusprofile)(userlogin=james))
> that measn ldap still search based on filter 'userlogin=james' and ignores
> those '\2a\2a\2a' followed, and hence it finds the username 'james' from
> ldap and allows the user to login.
> is it the way lastest freeradius supposed to be?

No, it's a known bug in FreeRADIUS 1.0.5. That's why I told you
earlier to get a fixed version in CVS.

> if user james can use 'james*' or 'james\\' to login as usual, isnt it
> unsecure?

I think "james*" (without escaping) in a LDAP filter is insecure,
it may disclose informations about other users named "jamesfoo"
or "jamesbar" ...

-- 
Nicolas Baradakis




More information about the Freeradius-Users mailing list