LDAP changes between 1.01 and 1.1.5

Alan DeKok aland at deployingradius.com
Fri Apr 13 03:40:22 CEST 2007


Ryan Kramer wrote:
> I SUSPECT something might not be escaped in a manner the MS AD server
> likes, or maybe just the fact it has any escape sequences built in at
> all is what is causing it to toss it.

  No.  As I have said already, the problem is that the LDAP queries are
being escaped.  Please pay attention to what I'm saying, it might help
you solve the problem.

  The default install does not do this.  The default configuration does
not do this.  Other people have not run into this problem.  The problem
is almost definitely the way you are building the queries.

  i.e. the LDAP queries are built up as:

  <text from config file> ldap_escape(other text) <text from config ...>

  The text that you, as administrator entered into the configuration
file is NEVER escaped.  The text that a random user enters as a
User-Name is ALWAYS escaped.

  If you're putting queries into an attribute, and then later using that
attribute as part of another query, that text WILL be escaped.  The
server has no way of telling where that text came from, so it's untrusted.

  The solution is to carefully examine how you build the queries.  There
may be simpler ways of doing it, which avoids the double escaping issue.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



More information about the Freeradius-Users mailing list