AD Auth - problem with some chars in user's DN

Nelson Vale nelsonduvall at
Mon Jun 7 15:13:34 CEST 2010

Sorry, the problem occurs only with the " (double quotes) character and not
to the other two characters.

2010/6/7 Nelson Vale <nelsonduvall at>

> Hi all,
> I've recently found a problem authenticating some users in AD (2003) when
> the user's Distinguish Names have one or more of the following characters:
>  " ' ` (double quotes, apostrophe or grave accent), using freeradius 2.0.2
> and 2.1.9 versions:
> "...
> [ldap] login attempt by "johndoe" with password "test123;"
> [ldap] user DN: CN=John "The Man" Doe,OU=students,DC=domain,DC=localal
>   [ldap] (re)connect to, authentication 1
>   [ldap] bind as CN=John "The Man"
> Doe,OU=students,DC=domain,DC=localal/test123; to
>   [ldap] waiting for bind result ...
>   [ldap] Bind failed with invalid credentials
> ..."
> ( the correct DN for this user is "CN=John "The Man"
> Doe,OU=students,DC=domain,DC=local" )
> The rlm_ldap module is performing the user authentication using a DN that
> as two more characters as it should be (the "al" in the end), and the number
> of these extra characters is the same as the number of the occurrences of
> the characters described above.
> The characters that cause this problem are the ones from
> the src/lib/valuepair.c pairparsevalue() function (PW_TYPE_STRING type), and
> if they are removed from there the authentication will be
> processed successfully ( I know, if they are there there must be some reason
> ).
> I've managed to fix this in rlm_ldap by quoting the characters in the
> vp_user_dn->vp_strvalue, but I'm not sure if this will fix all the problems
> that can arise from this.
> Have anyone ever had such a problem? I know that it's a little unusual to
> have these characters in user's names but AD allows it ...
> Thx,
> Nelson Vale
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list