question on ldap_escape_func in rlm_ldap.c
Nicolas Baradakis
nbk at sitadelle.com
Wed Dec 7 16:21:16 CET 2005
Qin Zhen wrote:
> when i trys to login with username 'james*', ldap_escape_fun acctually
> converts it into 'james\2a\2a\2a\2a\2a\2a...', but the radius debug mode
> still shows
> Debug: rlm_ldap:performing search in dc=sg, o=company, with filter
> (&objectclass=radiusprofile)(userlogin=james))
> that measn ldap still search based on filter 'userlogin=james' and ignores
> those '\2a\2a\2a' followed, and hence it finds the username 'james' from
> ldap and allows the user to login.
> is it the way lastest freeradius supposed to be?
No, it's a known bug in FreeRADIUS 1.0.5. That's why I told you
earlier to get a fixed version in CVS.
> if user james can use 'james*' or 'james\\' to login as usual, isnt it
> unsecure?
I think "james*" (without escaping) in a LDAP filter is insecure,
it may disclose informations about other users named "jamesfoo"
or "jamesbar" ...
--
Nicolas Baradakis
More information about the Freeradius-Users
mailing list