AD Auth - problem with some chars in user's DN
Hi all, I've recently found a problem authenticating some users in AD (2003) when the user's Distinguish Names have one or more of the following characters: " ' ` (double quotes, apostrophe or grave accent), using freeradius 2.0.2 and 2.1.9 versions: "... [ldap] login attempt by "johndoe" with password "test123;" [ldap] user DN: CN=John "The Man" Doe,OU=students,DC=domain,DC=localal [ldap] (re)connect to 192.168.0.73:389:389, authentication 1 [ldap] bind as CN=John "The Man" Doe,OU=students,DC=domain,DC=localal/test123; to 192.168.0.73:389:389 [ldap] waiting for bind result ... [ldap] Bind failed with invalid credentials ..." ( the correct DN for this user is "CN=John "The Man" Doe,OU=students,DC=domain,DC=local" ) The rlm_ldap module is performing the user authentication using a DN that as two more characters as it should be (the "al" in the end), and the number of these extra characters is the same as the number of the occurrences of the characters described above. The characters that cause this problem are the ones from the src/lib/valuepair.c pairparsevalue() function (PW_TYPE_STRING type), and if they are removed from there the authentication will be processed successfully ( I know, if they are there there must be some reason ). I've managed to fix this in rlm_ldap by quoting the characters in the vp_user_dn->vp_strvalue, but I'm not sure if this will fix all the problems that can arise from this. Have anyone ever had such a problem? I know that it's a little unusual to have these characters in user's names but AD allows it ... Thx, Nelson Vale
Sorry, the problem occurs only with the " (double quotes) character and not to the other two characters. 2010/6/7 Nelson Vale <nelsonduvall@gmail.com>
Hi all,
I've recently found a problem authenticating some users in AD (2003) when the user's Distinguish Names have one or more of the following characters: " ' ` (double quotes, apostrophe or grave accent), using freeradius 2.0.2 and 2.1.9 versions:
"... [ldap] login attempt by "johndoe" with password "test123;" [ldap] user DN: CN=John "The Man" Doe,OU=students,DC=domain,DC=localal [ldap] (re)connect to 192.168.0.73:389:389, authentication 1 [ldap] bind as CN=John "The Man" Doe,OU=students,DC=domain,DC=localal/test123; to 192.168.0.73:389:389 [ldap] waiting for bind result ... [ldap] Bind failed with invalid credentials ..."
( the correct DN for this user is "CN=John "The Man" Doe,OU=students,DC=domain,DC=local" )
The rlm_ldap module is performing the user authentication using a DN that as two more characters as it should be (the "al" in the end), and the number of these extra characters is the same as the number of the occurrences of the characters described above.
The characters that cause this problem are the ones from the src/lib/valuepair.c pairparsevalue() function (PW_TYPE_STRING type), and if they are removed from there the authentication will be processed successfully ( I know, if they are there there must be some reason ).
I've managed to fix this in rlm_ldap by quoting the characters in the vp_user_dn->vp_strvalue, but I'm not sure if this will fix all the problems that can arise from this.
Have anyone ever had such a problem? I know that it's a little unusual to have these characters in user's names but AD allows it ...
Thx,
Nelson Vale
2010/6/9 Alan DeKok <aland@deployingradius.com>
Nelson Vale wrote:
Sorry, the problem occurs only with the " (double quotes) character and not to the other two characters.
Try re-building from git.freeradius.org, branch v2.1.x. There's a fix which should help.
The user's DN is OK now (no extra characters), but the ldap authentication still doesn't work. I think the problem is that double quotes must be escaped before sent to AD.
In my fix in rlm_ldap (test purpose only), I did just that before assigning the vp_user_dn->vp_strvalue value to user_dn in ldap_authenticate() and it works OK. "... +- entering group LDAP {...} [ldap] login attempt by "xavez" with password "test123;" [ldap] user DN: CN=Carlos "xpto". Chavez,OU=students,DC=domain,DC=local [ldap] (re)connect to 192.168.0.73:389:389, authentication 1 [ldap] bind as CN=Carlos "xpto". Chavez,OU=students,DC=domain,DC=local/test123; to 192.168.0.73:389 :389 [ldap] waiting for bind result ... [ldap] Bind failed with invalid credentials ++[ldap] returns reject Failed to authenticate the user. ..." Escaping the double quotes: "... [ldap] login attempt by "xavez" with password "test123;" [ldap] user DN: CN=Carlos \"xpto\". Chavez,OU=students,DC=domain,DC=local [ldap] (re)connect to 192.168.0.73:389:389, authentication 1 [ldap] bind as CN=Carlos \"xpto\". Chavez,OU=students,DC=domain,DC=local/test123; to 192.168.0.73:389 :389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user xavez authenticated succesfully ++[ldap] returns ok ..."
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nelson Vale wrote:
The user's DN is OK now (no extra characters), but the ldap authentication still doesn't work. I think the problem is that double quotes must be escaped before sent to AD.
OK.
In my fix in rlm_ldap (test purpose only), I did just that before assigning the vp_user_dn->vp_strvalue value to user_dn in ldap_authenticate() and it works OK.
OK. The issue is that the value of the attribute is used *directly*. It's really the responsibility of the RADIUS server to pass the correct data to the LDAP query. i.e. rather than: perform_search(... vp_user_dn->vp_strvalue ...) it should do: char buffer[1024]; vp_print(buffer, sizeof(buffer), vp_user_dn->vp_strvalue); perform_search(... buffer ..) That is what your fix seems to do, and is the right thing to do. Alan DeKok.
participants (2)
-
Alan DeKok -
Nelson Vale