PEAP with LDAP Cleartext Password including backslash

Alan DeKok aland at
Wed Jun 27 23:01:38 CEST 2018

On Jun 27, 2018, at 3:25 AM, kaoru eto <etokaoru.frml at> wrote:
> I am trying to use backslash in userPassword like 'Pass\100word'.

  Unfortunately, a bare backslash isn't really supported.  The server needs backslashes in order to escape *other* special characters in the password.

  e.g. quotation marks.

> 3.what you expect the server to do
> Access-Accept with password 'Pass\100word'.
> Access-Reject with password 'Pass at word'.

  Because "\100" is ASCII "@".

> I tried changing single backslash 'Pass\100word' to double backslash
> 'Pass\\100word' on the LDAP server, and got Access-Accept with
> password 'Pass\100word'.

  That's how it works.

> But, we hardly control this problem by changing the userPassword
> attribute rules of LDAP server, because other systems which we can not
> control use the same LDAP server.
> Is there any workaround in freeradius configurations?

  You can map the LDAP password to a RADIUS attribute of type "octets".  It will then the copied verbatim.

  Then, copy that attribute to Cleartext-Password.  I *think* it will work.

  Edit raddb/dictionary, and add:

ATTRIBUTE My-Raw-Password 3003 octets

e.g. edit raddb/mods-enabled/ldap


		control:Password-With-Header	+= 'userPassword'


		control:My-Raw-Password		+= 'userPassword'

  And then in the "authorize" section, after "ldap", do:

	if (control:My-Raw-Password) {
		update control {
			Cleartext-Password := &My-Raw-Password

  That should copy it over without escaping the backslash.

  Alan DeKok.

More information about the Freeradius-Users mailing list