Transformation of the + symbol -- FRS 3.0.11

Mark Williams martialstudy at hotmail.com
Wed Nov 2 19:38:06 CET 2016


I’m no LDAP expert, but isn’t \5c the escape for the backslash character itself? It’s almost as though FRS is attempting to hand the server \+ instead of just +       ?


________________________________
From: Mark Williams <martialstudy at hotmail.com>
Sent: Wednesday, November 02, 2016 2:26 PM
To: FreeRadius users mailing list
Subject: Re: Transformation of the + symbol -- FRS 3.0.11


It does have a special meaning, but the method which FR is escaping the + character seems to have changed since version 3.0.4, and doesn’t appear to be working (in my environment at least).

If I run radtest against FRS-3.0.4 I get debug like this:

(10356) Wed Nov  Checking for suffix after "@"
(10356) Wed Nov  Looking up realm "vt.edu" for User-Name = "bob+ipad1 at vt.edu"
(10356) Wed Nov  Found realm "vt.edu"
(10356) Wed Nov  Adding Stripped-User-Name = "bob+ipad1"
(10356) Wed Nov  Adding Realm = "vt.edu"
(10356) Wed Nov  Authentication realm is LOCAL
(10356) Wed Nov  2 13:53:33 2016 : Debug:   [suffix] = ok
(10356) Wed NoNo EAP-Message, not doing EAP
(10356) Wed Nov  2 13:53:33 2016 : Debug:   [eap] = noop
(10356) Wed NovEXPAND (&(uid=%{Stripped-User-Name}))
(10356) Wed Nov   --> (&(uid=bob\2bipad1))
(10356) Wed NovEXPAND ou=People,ou=NIS,o=vt
(10356) Wed Nov   --> ou=People,ou=NIS,o=vt
(10356) Wed NovPerforming search in 'ou=People,ou=NIS,o=vt' with filter '(&(uid=bob\2bipad1))', scope 'sub'
(10356) Wed NovWaiting for search result...
(10356) Wed NovUser object found at DN “nuid=007,ou=Agents,ou=People,ou=NIS,o=vt"
(10356) Wed NovProcessing user attributes

And the corresponding OpenLDAP logs appear so:

2016-11-02T13:43:33.525988-04:00 ldap01.cns.vt.edu slapd[2685]: conn=226728 op=333 SRCH base="ou=People,ou=NIS,o=vt" scope=2 deref=0 filter="(&(uid=bob+ipad1))"
2016-11-02T13:43:33.526006-04:00 ldap01.cns.vt.edu slapd[2685]: conn=226728 op=333 SRCH attr=userPassword ntPassword prohibited
2016-11-02T13:43:33.526009-04:00 ldap01.cns.vt.edu slapd[2685]: conn=226728 op=333 SEARCH RESULT tag=101 err=0 nentries=1 text=


Running it against FRS-3.0.11 I get debug like this:

(7474379) Wed Nov  2 13:37:02 2016: Debug: suffix: Checking for suffix after "@"
(7474379) Wed Nov  2 13:37:02 2016: Debug: suffix: Looking up realm "vt.edu" for User-Name = "bob+ipad1 at vt.edu"
(7474379) Wed Nov  2 13:37:02 2016: Debug: suffix: Found realm "~vt.edu$"
(7474379) Wed Nov  2 13:37:02 2016: Debug: suffix: Adding Stripped-User-Name = "bob+ipad1"
(7474379) Wed Nov  2 13:37:02 2016: Debug: suffix: Adding Realm = "vt.edu"
(7474379) Wed Nov  2 13:37:02 2016: Debug: suffix: Authentication realm is LOCAL
(7474379) Wed Nov  2 13:37:02 2016: Debug:     [suffix] = ok
(7474379) Wed Nov  2 13:37:02 2016: Debug: eap: No EAP-Message, not doing EAP
(7474379) Wed Nov  2 13:37:02 2016: Debug:     [eap] = noop
(7474379) Wed Nov  2 13:37:02 2016: Debug:     [files] = noop
(7474379) Wed Nov  2 13:37:02 2016: Debug: ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7474379) Wed Nov  2 13:37:02 2016: Debug: ldap:    --> (uid=bob\5c2bipad1)
(7474379) Wed Nov  2 13:37:02 2016: Debug: ldap: Performing search in "ou=People,ou=NIS,o=vt" with filter "(uid=bob\5c2bipad1)", scope "sub"
(7474379) Wed Nov  2 13:37:02 2016: Debug: ldap: Waiting for search result...
(7474379) Wed Nov  2 13:37:02 2016: Debug: ldap: Search returned no results
(7474379) Wed Nov  2 13:37:02 2016: Debug:     [ldap] = notfound

And the corresponding OpenLDAP logs appear so:

2016-11-02T13:37:02.360308-04:00 midge.cns.vt.edu slapd[3369]: conn=37934 op=43 SRCH base="ou=People,ou=NIS,o=vt" scope=2 deref=0 filter="(uid=bob\5C2bipad1)"
2016-11-02T13:37:02.360550-04:00 midge.cns.vt.edu slapd[3369]: conn=37934 op=43 SRCH attr=userPassword ntPassword prohibited radiusControlAttribute radiusRequestAttribute radiusReplyAttribute
2016-11-02T13:37:02.360818-04:00 midge.cns.vt.edu slapd[3369]: conn=37934 op=43 SEARCH RESULT tag=101 err=0 nentries=0 text=

<http://aka.ms/weboutlook>


________________________________
From: Freeradius-Users <freeradius-users-bounces+martialstudy=hotmail.com at lists.freeradius.org> on behalf of Alan DeKok <aland at deployingradius.com>
Sent: Tuesday, October 18, 2016 2:05 PM
To: FreeRadius users mailing list
Subject: Re: Transformation of the + symbol -- FRS 3.0.11

On Oct 18, 2016, at 10:44 AM, Mark Williams <martialstudy at hotmail.com> wrote:
>
> Any idea why the + symbol is being transformed in the ldap filter? Should I be using a different syntax for the attribute substitution?

  The + character has special meaning in LDAP.  As such, it's escaped.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list