Hi all,<div><br></div><div><br></div><div>I've recently found a problem authenticating some users in AD (2003) when the user's Distinguish Names have one or more of the following characters: " ' ` (double quotes, apostrophe or grave accent), using freeradius 2.0.2 and 2.1.9 versions:</div>
<div><br></div><div>"...</div><div><div>[ldap] login attempt by "johndoe" with password "test123;"</div><div>[ldap] user DN: CN=John "The Man" Doe,OU=students,DC=domain,DC=localal</div><div>
[ldap] (re)connect to 192.168.0.73:389:389, authentication 1</div><div> [ldap] bind as CN=John "The Man" Doe,OU=students,DC=domain,DC=localal/test123; to 192.168.0.73:389:389</div><div> [ldap] waiting for bind result ...</div>
<div> [ldap] Bind failed with invalid credentials</div></div><div>..."</div><div><br></div><div>( the correct DN for this user is "CN=John "The Man" Doe,OU=students,DC=domain,DC=local" )</div><div>
<br></div><div><br></div><div>The rlm_ldap module is performing the user authentication using a DN that as two more characters as it should be (the "al" in the end), and the number of these extra characters is the same as the number of the occurrences of the characters described above.</div>
<meta http-equiv="content-type" content="text/html; charset=utf-8"><div><br></div><div>The characters that cause this problem are the ones from the src/lib/valuepair.c pairparsevalue() function (PW_TYPE_STRING type), and if they are removed from there the authentication will be processed successfully ( I know, if they are there there must be some reason ).</div>
<div><br></div><div>I've managed to fix this in rlm_ldap by quoting the characters in the vp_user_dn->vp_strvalue, but I'm not sure if this will fix all the problems that can arise from this.</div><div><br></div>
<div>Have anyone ever had such a problem? I know that it's a little unusual to have these characters in user's names but AD allows it ...</div><div><br></div><div>Thx,</div><div><br></div><div>Nelson Vale</div>