Ldap group troubles

Dourty, Brian R. (IATS) DourtyB at missouri.edu
Thu Jun 7 17:54:45 CEST 2007


Upgrading is what broke this functionality.  It works with version
1.0.1. Sometime after that a change was made to rlm_ldap.c. This change
modified the ldap_escape_func() function. The way this function works in
1.1.4 and up is different than 1.0.1. Basically, it didn't escape
anything in 1.0.1 and now it does. 

What we see in 1.1.4/1.1.6 is that a UserDN returned from AD using
OpenLDAP looks like this:

CN=Lastname\,Firstname, CN=bla,DC=bla

After the ldap_escape_func() returns it looks like this:

CN\\3dLastname\\5c\\5c\\2cFirstname\\2cCN\\3dbla\\2cDC\\3dbla

The \, gets escaped then translated and becomes \\5c\\5c\\2c which
doesn't match \, in the member= results of the group.

Any ideas where the extra \\5c is coming from?

Brian Dourty
System Administrator - Team Lead
Division of IT
University of Missouri - Columbia
573-882-1035


-----Original Message-----
From: freeradius-users-bounces+dourtyb=missouri.edu at lists.freeradius.org
[mailto:freeradius-users-bounces+dourtyb=missouri.edu at lists.freeradius.o
rg] On Behalf Of Phil Mayers
Sent: Tuesday, June 05, 2007 6:50 PM
To: FreeRadius users mailing list
Subject: Re: Ldap group troubles

Dourty, Brian R. (IATS) wrote:
> I'm having some trouble with the ldap group configuration against AD
and 
> need a little help.
> 
>  
> 
> Freeradius 1.1.4

Upgrade.
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list