FreeRADIUS 3.0.25 with a singe backslash in user's password
Hi, I noticed some authentication issues recently and saw that it is due to people using backslash \ in their passwords. If there is a single backslash in the password, then FreeRADIUS adds another backslash to it and hence the authentication is rejected. I have: In LDAP module, update { control:My-Raw-Password += 'User-Password' } Then in authorize, ntlm_auth.authorize { if (!control:Auth-Type && User-Password) { update control { User-Password := "%{string:control:My-Raw-Password}" Auth-Type := ntlm_auth } } } I searched several posts in this mailing list but I couldn't get it. Could you please let me know how to parse the backslash as backslash and not to add any extra backslash? Thank you. Regards, BurnZero
On Dec 3, 2021, at 2:42 AM, Burn Zero <burnzerog@gmail.com> wrote:
I noticed some authentication issues recently and saw that it is due to people using backslash \ in their passwords. If there is a single backslash in the password, then FreeRADIUS adds another backslash to it and hence the authentication is rejected.
That's not quite what happens.
I have:
In LDAP module,
update { control:My-Raw-Password += 'User-Password' }
I suspect this isn't what's actually there. Instead of pasting the exact string, you've re-typed it. These are computers. Details matter.
Then in authorize,
ntlm_auth.authorize { if (!control:Auth-Type && User-Password) { update control { User-Password := "%{string:control:My-Raw-Password}" Auth-Type := ntlm_auth }
I have no idea why you're doing this. It's not necessary. If the password is in LDAP, it can be checked via LDAP. You don't need ntlm_auth.
I searched several posts in this mailing list but I couldn't get it. Could you please let me know how to parse the backslash as backslash and not to add any extra backslash?
Don't use ntlm_auth. Use ldap as it was intended. It works. Alan DeKok.
participants (2)
-
Alan DeKok -
Burn Zero