Receivin a full DN in a radius request
Nicolas Baradakis
nbk at sitadelle.com
Thu Sep 15 15:43:05 CEST 2005
Jean-Francois Gobin wrote:
> From the preceding, preceding mail, you should have seen that %{User-Name}
> is equal to something like "uid=P0..., o=nrb, c=be" ... which is what I
> want to have checked against the LDAP.
>
> For now, when I implement your suggestion, I just come out with
> "checking for dn=o=nrb,c=be, (uid=uid)", which corresponds to the
> truncating of my requesting DN.
I indeed found a bug in function ldap_escape_func(). However, after
fixing the function I get the following line in my logs, which is
still an invalid LDAP filter.
rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with filter (uid\3dP06227\2cou\3dpeople\2co\3dnrb\2cc\3dbe)
This is not a bug: user supplied strings are escaped from unsafe
characters.
In your case, I'd suggest to rewrite the User-Name to "P06227" with
the module rlm_attr_rewrite and use the filter "(uid=%{User-Name})"
in rlm_ldap.
--
Nicolas Baradakis
More information about the Freeradius-Users
mailing list