Freeradius and group membership check

John Dennis jdennis at redhat.com
Thu Aug 11 16:39:49 CEST 2011 

On 08/11/2011 10:01 AM, Vlad Glagolev wrote:
> Hello there,
>
> I'm here to say that I've found kind of misconfiguration/bug in Freeradius.
>
> The version is 2.1.10, and the platform is i386 (i686) OpenBSD.
>
> when I try to use group membership check, I see strange behaviour: instead of commas there are symbols (those are in ASCII?) like that:
>
> [files]         expand: (|(&(objectClass=PosixGroup)(memberUnixUserName=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) ->  (|(&(objectClass=PosixGroup)(memberUnixUserName=uid\3dtest\2cou\3dIT\2cou\3dDepartments\2cou\3ddom.tld\2cou\3dDomains\2cou\3dUsers\2cdc\3ddomain\2cdc\3dtld))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtest\2cou\3dIT\2cou\3dDepartments\2cou\3ddom.tld\2cou\3dDomains\2cou\3dUsers\2cdc\3ddomain\2cdc\3dtld)))
>
> of course if I use %{User-Name} instead of %{control:Ldap-UserDn} it works well (with simplified search filter, but it's the same with that above):
>
> [files]         expand: (&(objectClass=posixGroup)(memberUnixUserName=%{User-Name})) ->  (&(objectClass=posixGroup)(memberUnixUserName=test))
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=domain,dc=tld, with filter (&(cn=disabled)(&(objectClass=posixGroup)(memberUnixUserName=test)))
> rlm_ldap::ldap_groupcmp: User found in group disabled
>
> is this a known behaviour?


LDAP DN's have reserved characters, comma is one of the reserved 
characters. To properly form a DN the reserved characters must be 
"escaped", there are two methods to escape a reserved character, either 
precede it with backslash or convert it to it's hexadecimal ascii code 
point preceded by backslash. The hexadecimal ascii code point for comma 
is 2c, thus all your commas are getting replaced by \2c as part of the 
DN escaping.

That explains the odd string, as to whether the escaping is occurring at 
the right place I would need some more information than you've provided. 
Hopefully that gives you enough information to proceed.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeradius-Users mailing list