LDAP changes between 1.01 and 1.1.5

Phil Mayers p.mayers at imperial.ac.uk
Fri Apr 13 12:30:55 CEST 2007

> the problem is with the groupmembership_filter. It contains the 
> Ldap-UserDn attribute which gets xlated and escaped:
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> A DN usually contains commas which get escaped and break the ldap 
> search. I am not so sure why we should escape ',' in the first place. 
> That way we break any ldap searches for attribute values holding DN's.

This is correct.

For info the python-ldap module contains a function:

def escape_filter_chars(assertion_value):
   Replace all special characters found in assertion_value
   by quoted notation
   s = assertion_value.replace('\\', r'\5c')
   s = s.replace(r'*', r'\2a')
   s = s.replace(r'(', r'\28')
   s = s.replace(r')', r'\29')
   s = s.replace('\x00', r'\00')
   return s

...implying that only \*()NUL need be escaped?

More information about the Freeradius-Users mailing list