Re: LDAP changes between 1.01 and 1.1.5

To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Subject: Re: LDAP changes between 1.01 and 1.1.5
From: Phil Mayers <p.mayers@imperial.ac.uk>
Date: Fri, 13 Apr 2007 11:30:55 +0100
In-reply-to: <461F4D98.8@noc.ntua.gr>
References: <6a499a230704121125m14d92291xec6176baf1bb8062@mail.gmail.com> <461E89AA.6070905@deployingradius.com> <6a499a230704121348s717fcc97y2e17c41616db5926@mail.gmail.com> <461ED1EC.2020203@deployingradius.com> <6a499a230704121809p949e0e6yd30501a085e4a8f9@mail.gmail.com> <461EDF86.1050907@deployingradius.com> <461F4D98.8@noc.ntua.gr>
Reply-to: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
User-agent: Thunderbird 1.5.0.9 (X11/20070102)

the problem is with the groupmembership_filter. It contains theLdap-UserDn attribute which gets xlated and escaped:
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
A DN usually contains commas which get escaped and break the ldapsearch. I am not so sure why we should escape ',' in the first place.That way we break any ldap searches for attribute values holding DN's.


This is correct.

For info the python-ldap module contains a function:

def escape_filter_chars(assertion_value):
  """
  Replace all special characters found in assertion_value
  by quoted notation
  """
  s = assertion_value.replace('\\', r'\5c')
  s = s.replace(r'*', r'\2a')
  s = s.replace(r'(', r'\28')
  s = s.replace(r')', r'\29')
  s = s.replace('\x00', r'\00')
  return s

...implying that only \*()NUL need be escaped?

References:
- LDAP changes between 1.01 and 1.1.5
  - From: "Ryan Kramer" <rkramer@gmail.com>
- Re: LDAP changes between 1.01 and 1.1.5
  - From: Alan DeKok <aland@deployingradius.com>
- Re: LDAP changes between 1.01 and 1.1.5
  - From: "Ryan Kramer" <rkramer@gmail.com>
- Re: LDAP changes between 1.01 and 1.1.5
  - From: Alan DeKok <aland@deployingradius.com>
- Re: LDAP changes between 1.01 and 1.1.5
  - From: "Ryan Kramer" <rkramer@gmail.com>
- Re: LDAP changes between 1.01 and 1.1.5
  - From: Alan DeKok <aland@deployingradius.com>
- Re: LDAP changes between 1.01 and 1.1.5
  - From: Kostas Kalevras <kkalev@noc.ntua.gr>

Previous by Date: mssql and Freeradius
Next by Date: rlm_sql: Bug in stripping output of dynamic strings {sql:...}
Previous by Thread: Re: LDAP changes between 1.01 and 1.1.5
Next by Thread: LDAP search scope directive?
Freeradius-Users April 2007 archives indexes sorted by: [ thread ] [ subject ] [ author ] [ date ]
Freeradius-Users list archive Table of Contents
More information about the Freeradius-Users mailing list

This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.