AD Auth - problem with some chars in user's DN
Nelson Vale
nelsonduvall at gmail.com
Mon Jun 7 12:29:42 CEST 2010
Hi all,
I've recently found a problem authenticating some users in AD (2003) when
the user's Distinguish Names have one or more of the following characters:
" ' ` (double quotes, apostrophe or grave accent), using freeradius 2.0.2
and 2.1.9 versions:
"...
[ldap] login attempt by "johndoe" with password "test123;"
[ldap] user DN: CN=John "The Man" Doe,OU=students,DC=domain,DC=localal
[ldap] (re)connect to 192.168.0.73:389:389, authentication 1
[ldap] bind as CN=John "The Man"
Doe,OU=students,DC=domain,DC=localal/test123; to 192.168.0.73:389:389
[ldap] waiting for bind result ...
[ldap] Bind failed with invalid credentials
..."
( the correct DN for this user is "CN=John "The Man"
Doe,OU=students,DC=domain,DC=local" )
The rlm_ldap module is performing the user authentication using a DN that as
two more characters as it should be (the "al" in the end), and the number of
these extra characters is the same as the number of the occurrences of the
characters described above.
The characters that cause this problem are the ones from
the src/lib/valuepair.c pairparsevalue() function (PW_TYPE_STRING type), and
if they are removed from there the authentication will be
processed successfully ( I know, if they are there there must be some reason
).
I've managed to fix this in rlm_ldap by quoting the characters in the
vp_user_dn->vp_strvalue, but I'm not sure if this will fix all the problems
that can arise from this.
Have anyone ever had such a problem? I know that it's a little unusual to
have these characters in user's names but AD allows it ...
Thx,
Nelson Vale
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100607/41d3722c/attachment.html>
More information about the Freeradius-Users
mailing list