are there any characters not allowed in a password used with LDAP "bind as user"?
Phil Mayers
p.mayers at imperial.ac.uk
Thu Oct 21 23:43:41 CEST 2010
On 10/21/2010 10:27 PM, Phil Mayers wrote:
> On 10/21/2010 08:52 PM, mark.leese at stfc.ac.uk wrote:
>
>>
>> I don't know whether the problem lies with me (for allowing a backslash
>> in the password in the first place) the NAS for appearing to 'escape'
>> the backslash (with a backslash)
>
> rlm_ldap accesses the raw string value of the request->password AVP, so
> it shouldn't be anything inside FreeRadius.
>
> What is the NAS?
Hmm. I've just tried this locally and I don't seem to get the same
results as you; I see the backslash doubled in the initial FreeRadius
dump (as expected - FreeRadius writes the debug output as you would
write config files):
rad_recv: Access-Request packet from host 127.0.0.1 port 53973, id=123,
length=44
User-Name = "pjm3"
User-Password = "foo\\bar"
...and I then see:
[ldap] login attempt by "pjm3" with password "foo\bar"
[ldap] user DN: CN=pjm3,...
[ldap] (re)connect to icads1.ic.ac.uk:389, authentication 1
[ldap] bind as CN=pjm3,.../foo\bar to icads1.ic.ac.uk:389
[ldap] waiting for bind result ...
...note the backslash just appears singly here; the rlm_ldap debugging
output code writes the raw value out. You however have two backslashes
by this point, so it must be your rlm_perl module. Can you prevent the
perl module touching the User-Password attribute, and see if that helps?
More information about the Freeradius-Users
mailing list