Freeradius LDAP weird login issue

cktan cktan at ocesb.com.my
Wed May 20 11:48:52 CEST 2009


Hi all,

I'm using freeradius+LDAP for the PPPoE dialup access control for a 
while. Lately I noticed there is weird issue whereby an user login with 
username as "user=5C=5C=5C=5Cuser at domain" and surprisingly freeradius 
allow it to login although the actual username should be "user at domain". 
I've run radius in -X mode and capture the log for your reference as 
below. In radiusd -X, we noticed server received Access-Request with 
username "user=5C=5C=5C=5Cuser at domain" but when reach to radius_xlat, 
the uid will become "user" only and when it query my LDAP the account 
for "user" is available and it will accept the access request. The 
question is why "user=5C=5C=5C=5Cuser" = "user"? We try the username 
with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because 
radius will take as user at domain. After login, the username in radacct 
will become "user=5C=5C=5C=5Cuser at domain" instead of "user at domain". As 
the consequence, the smart user may have multiple logins (by using 
user=1C/2C/3C....) and the records in radacct is different and therefore 
we will out of control for multiple login with single account. Any idea 
to fix this?


rad_recv: Access-Request packet from host 127.0.0.1:32877, id=87, length=93
        User-Name = *"user=5C=5C=5C=5Cuser at domain"*
        User-Password = "password"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0

rlm_ldap: performing user authorization for *user=5c=5c=5c=5cuser*
radius_xlat: * '(uid=user)'*


Regards

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090520/dd79b56f/attachment.html>


More information about the Freeradius-Users mailing list