UserDN escape problem and Group membership checking in 3.0.3
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Nov 20 05:31:34 CET 2014
> On 19 Nov 2014, at 17:07, Winders, Timothy A <twinders at southplainscollege.edu> wrote:
>
>
> On 11/19/14, 3:57 PM, "Arran Cudbard-Bell" <a.cudbardb at freeradius.org>
> wrote:
>>
>> Alan and I just discussed this offline, and we think we've determined the
>> correct fix.
>>
>> The issue is with the string expansion code. When it finds an attribute
>> expansion in
>> the string such as %{control:Ldap-UserDN}, it tries to make it safe by
>> escaping chars
>> with special meanings like \r \n \.
>>
>> It does this *even* if an escaping callback is provided by the module
>> wanting to
>> do the string expansion.
>>
>> So before the LDAP escape function ever gets the string "CN=Winders\,
>> Tim" it has
>> become "CN=winders\\, Tim".
>>
>> Which then gets encoded to "CN\3dWinders\5c\5c\2c Tim".
>>
>> The fix appears to be, to hand off escaping completely to the escape
>> function if one
>> is set by the module, and to do the normal escaping otherwise.
>>
>> I'll add a fix, but it'll probably go into 3.0.6 as this may change other
>> behaviour.
>>
>> -- Regarding liveness of zip files, that one will be the HEAD of the repo.
>> -- Regarding building debs 'make deb'
>>
>
> You guys rock!
>
> I¹m happy with the current solution and will be looking for the 3.0.6
> release for the complete fix!
Ok, pushed the fix. If you can confirm it works tomorrow,
we can probably sneak it in 3.0.5.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
More information about the Freeradius-Users
mailing list