question on ldap_escape_func in rlm_ldap.c

Nicolas Baradakis nbk at sitadelle.com
Wed Dec 7 11:51:48 CET 2005


Qin Zhen wrote:

> i couldn't figure out what does the change intend to do, is it to
> filter out '*', '\\', '()' and '=' from username? and why should it
> be in that way? please help me. thanks a lot in advance.

The function ldap_escape_func() filters all LDAP-specific characters
from RFC 2254. This prevents LDAP injection attacks.

BTW there's a known bug in this function, you can get a fixed version
here. (the patch will be included in next release)

http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_ldap/rlm_ldap.c?rev=1.122.2.8

-- 
Nicolas Baradakis




More information about the Freeradius-Users mailing list