PEAP with LDAP Cleartext Password including backslash

kaoru eto etokaoru.frml at gmail.com
Thu Jun 28 02:27:36 CEST 2018 

Thank you, Alan.

>  You can map the LDAP password to a RADIUS attribute of type "octets".  It will then the copied verbatim.
>
>  Then, copy that attribute to Cleartext-Password.  I *think* it will work.

I'll try it.

etokaoru

2018-06-28 6:01 GMT+09:00 Alan DeKok <aland at deployingradius.com>:
> On Jun 27, 2018, at 3:25 AM, kaoru eto <etokaoru.frml at gmail.com> wrote:
>> I am trying to use backslash in userPassword like 'Pass\100word'.
>
>   Unfortunately, a bare backslash isn't really supported.  The server needs backslashes in order to escape *other* special characters in the password.
>
>   e.g. quotation marks.
>
>> 3.what you expect the server to do
>>
>> Access-Accept with password 'Pass\100word'.
>> Access-Reject with password 'Pass at word'.
>
>   Because "\100" is ASCII "@".
>
>> I tried changing single backslash 'Pass\100word' to double backslash
>> 'Pass\\100word' on the LDAP server, and got Access-Accept with
>> password 'Pass\100word'.
>
>   That's how it works.
>
>> But, we hardly control this problem by changing the userPassword
>> attribute rules of LDAP server, because other systems which we can not
>> control use the same LDAP server.
>>
>> Is there any workaround in freeradius configurations?
>
>   You can map the LDAP password to a RADIUS attribute of type "octets".  It will then the copied verbatim.
>
>   Then, copy that attribute to Cleartext-Password.  I *think* it will work.
>
>   Edit raddb/dictionary, and add:
>
> ATTRIBUTE My-Raw-Password 3003 octets
>
> e.g. edit raddb/mods-enabled/ldap
>
>   Replace:
>
>                 control:Password-With-Header    += 'userPassword'
>
>   With:
>
>                 control:My-Raw-Password         += 'userPassword'
>
>   And then in the "authorize" section, after "ldap", do:
>
>         if (control:My-Raw-Password) {
>                 update control {
>                         Cleartext-Password := &My-Raw-Password
>                 }
>         }
>
>   That should copy it over without escaping the backslash.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list