AD Auth - problem with some chars in user's DN
Nelson Vale
nelsonduvall at gmail.com
Wed Jun 9 15:28:41 CEST 2010
2010/6/9 Alan DeKok <aland at deployingradius.com>
> Nelson Vale wrote:
> > Sorry, the problem occurs only with the " (double quotes) character and
> > not to the other two characters.
>
> Try re-building from git.freeradius.org, branch v2.1.x. There's a fix
> which should help.
>
> The user's DN is OK now (no extra characters), but the ldap authentication
still doesn't work. I think the problem is that double quotes must be
escaped before sent to AD.
In my fix in rlm_ldap (test purpose only), I did just that before assigning
the vp_user_dn->vp_strvalue value to user_dn in ldap_authenticate() and it
works OK.
"...
+- entering group LDAP {...}
[ldap] login attempt by "xavez" with password "test123;"
[ldap] user DN: CN=Carlos "xpto". Chavez,OU=students,DC=domain,DC=local
[ldap] (re)connect to 192.168.0.73:389:389, authentication 1
[ldap] bind as CN=Carlos
"xpto". Chavez,OU=students,DC=domain,DC=local/test123; to 192.168.0.73:389
:389
[ldap] waiting for bind result ...
[ldap] Bind failed with invalid credentials
++[ldap] returns reject
Failed to authenticate the user.
..."
Escaping the double quotes:
"...
[ldap] login attempt by "xavez" with password "test123;"
[ldap] user DN: CN=Carlos \"xpto\". Chavez,OU=students,DC=domain,DC=local
[ldap] (re)connect to 192.168.0.73:389:389, authentication 1
[ldap] bind as CN=Carlos
\"xpto\". Chavez,OU=students,DC=domain,DC=local/test123; to 192.168.0.73:389
:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user xavez authenticated succesfully
++[ldap] returns ok
..."
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100609/caad3734/attachment.html>
More information about the Freeradius-Users
mailing list