On Sep 7, 2018, at 4:13 AM, Kostas Zorbadelos <kzorba@otenet.gr> wrote:
just finished a project upgrading a big authentication infrastructure from freeradius 2.2.X to 3.0.17. I face a problem with very few users whose passwords end in '\'. They used to work in freeradius 2.
We fixed all of the handling of the backslash character in v3. Before that, it was random and inconsistent. Now, the rules are the same as for shells. Which is what people are used to, and what makes sense.
Debugging output (stripping the sensitive information):
kzorba@system(0)[10:19 AM]~/radius->cat test_kzorba1.txt User-Name = kzorba1@otenet.gr NAS-Port-Type = xDSL User-Password = test123\
i.e. User-Password = "test123\" Which for shells, is an invalid quoted string. So, it's invalid here.
NAS-Port-Id ="#DSLAM PORT DESCRIPTION HERE#" Calling-Station-Id = "BNG INTERFACE # DSLAM PORT DESCRIPTION" NAS-Port = 12234455
using freeradius 3.0.17 radclient:
kzorba@system(0)[10:26 AM]~/radius->/opt/freeradius3-auth/bin/radclient -f test_kzorba1.txt -x localhost:1812 auth XXXXX (0) Error parsing "test_kzorba1.txt": Invalid escape at end of string radclient: Failed parsing input files
Exactly.
With radclient 3.0.17 I needed to add an extra \ at the end of the User-Password to send the request. No Cleartext-Password is set.
Yes. That's the normal rule for double-quoted strings. Cleartext-Password is for the server. If you set it in radclient, it will be ignored.
Independent of which radclient is used, the server has the same behavior demonstrated in the following debug (using radmin in production, excellent feature by the way)
The server works, and will accept backslashes in passwords.
(13592044) Fri Sep 7 10:22:40 2018: WARNING: ldap_1: Failed parsing value "test123\\" for attribute Cleartext-Password: Invalid escape at end of string
Yes, the same rules for double quoted strings apply here.
In the ldap entry of the user, the password is stored with a (single) ending '\'.
Here is the relevant config of the ldap module in my case (again sensitive information stripped)
Please don't post module config to the list. We don't need it. See: http://wiki.freeadius.org/list-help
Is this a bug (looks like to me), feature, or am I missing something?
It's *fixing* a bug.
Could I do something with unlang, or in the ldap module config in this case?
Map the LDAP userPassword attribute to a binary attribute, e.g. Tmp-Octets-0. Then, copy that to Cleartext-Password: ldap if (control:Tmp-Octets-0) { update control { Cleartext-Password := &control:Tmp-Octets-0 } } Alan DeKok.