On Jun 27, 2018, at 3:25 AM, kaoru eto <etokaoru.frml@gmail.com> wrote:
I am trying to use backslash in userPassword like 'Pass\100word'.
Unfortunately, a bare backslash isn't really supported. The server needs backslashes in order to escape *other* special characters in the password. e.g. quotation marks.
3.what you expect the server to do
Access-Accept with password 'Pass\100word'. Access-Reject with password 'Pass@word'.
Because "\100" is ASCII "@".
I tried changing single backslash 'Pass\100word' to double backslash 'Pass\\100word' on the LDAP server, and got Access-Accept with password 'Pass\100word'.
That's how it works.
But, we hardly control this problem by changing the userPassword attribute rules of LDAP server, because other systems which we can not control use the same LDAP server.
Is there any workaround in freeradius configurations?
You can map the LDAP password to a RADIUS attribute of type "octets". It will then the copied verbatim. Then, copy that attribute to Cleartext-Password. I *think* it will work. Edit raddb/dictionary, and add: ATTRIBUTE My-Raw-Password 3003 octets e.g. edit raddb/mods-enabled/ldap Replace: control:Password-With-Header += 'userPassword' With: control:My-Raw-Password += 'userPassword' And then in the "authorize" section, after "ldap", do: if (control:My-Raw-Password) { update control { Cleartext-Password := &My-Raw-Password } } That should copy it over without escaping the backslash. Alan DeKok.