Qin Zhen wrote:
when i trys to login with username 'james*', ldap_escape_fun acctually converts it into 'james\2a\2a\2a\2a\2a\2a...', but the radius debug mode still shows Debug: rlm_ldap:performing search in dc=sg, o=company, with filter (&objectclass=radiusprofile)(userlogin=james)) that measn ldap still search based on filter 'userlogin=james' and ignores those '\2a\2a\2a' followed, and hence it finds the username 'james' from ldap and allows the user to login. is it the way lastest freeradius supposed to be?
No, it's a known bug in FreeRADIUS 1.0.5. That's why I told you earlier to get a fixed version in CVS.
if user james can use 'james*' or 'james\\' to login as usual, isnt it unsecure?
I think "james*" (without escaping) in a LDAP filter is insecure, it may disclose informations about other users named "jamesfoo" or "jamesbar" ... -- Nicolas Baradakis