Password with comma fail with LDAP

Turtiainen, Tero tero.turtiainen at capgemini.com
Tue Jul 19 11:05:41 CEST 2005 

Hi,

> We have FreeRADIUS 0.9.3 using LDAP for authorisation. We now have a
> problem that for example password with certain characters is cut. For
> example password "test,ing" is cut to "test". This is caused by the
> gettoken function in src/lib/token.c which is used by the rlm_ldap
> module. Google search seems to indicate that the same problem has been
> with the SQL-module which also uses gettoken.
>
> This kind of behaviour is of course quite evil. Is our problem unique?
....
> I made a quick test fix by replacing all occurences of gettoken in
> src/modules/rlm_ldap/rlm_ldap.c with getbareword-function (also in
> src/lib/token.c) which does not care about the tokens
....

I have looked at this a little bit more and I still don't get it. Why
does the LDAP-module use the gettoken() function? I have thought that
the authorisation data stored in LDAP should be usually taken "as is",
but in the LDAP/gettoken case it seems that there could also be some
special handling. But in our case this breaks the password handling if
the password contains some of those delimiters (like ,=> etc...).
Storing the passwords in MD5 or some other one-way encryption is not a
solution as CHAP is used for authentication. And the gettoken also
breaks other attributes, not just passwords.

Is there something that I don't understand or is this a bug in the
LDAP-module? Replacing gettoken with getbareword in the rlm_ldap.c
seemed to fix this, but this may brake a lot of other things... :)

Or should this be discussed in freeradius-devel?
--
Tero Turtiainen
Telecom, Media & Entertainment
Capgemini
tero.turtiainen at capgemini.com

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient,  you are not authorized to read, print, retain, copy, disseminate,  distribute, or use this message or any part thereof. If you receive this  message in error, please notify the sender immediately and delete all  copies of this message.

More information about the Freeradius-Users mailing list