Using ldap_xlat in unlang with Chars not allowed in an ldap search

Daniel Finger daniel.finger at ewetel.de
Wed Aug 29 17:00:31 CEST 2012 

Hi!

I have a Problem using the ldap Module to search in the ldap Tree for a
specific Attribute Containing a (.

I am using FreeRadius (2.1.12) for 802.1X Authentification (EAP-TLS) which
is working fine. After successful EAP Authentication, I want to check if the
User has an Entry in the LDAP:

During authenticate (I just changed a bit of formattig to have it readable
here):

Auth-Type eap {
	eap
        # Some Code to react to EAP Auth Failures

if ( "%{TLS-Client-Cert-Common-Name}" != "" ) {
	update control {
	    Tmp-String-1 =
			"%{ldap_WLAN_auth:
			ldap:///cn=UserAccounts,dc=DE?cn?sub?
			(
			&
			(CommonName=%{TLS-Client-Cert-Common-Name})
			(allowedSSID=%{Aruba-Essid-Name})
			)}"
	}
		
if ("%{control:Tmp-String-1}" == "") {
	update control {
		Auth-Type := "Reject"
	}
	update reply {
		Reply-Message = "The user %{User-Name} is not known or
				allowed to access the SSID %{Aruba-Essid-
				Name}"
	}
	reject
}

Now the {TLS-Client-Cert-Common-Name} contains a ( and a ) which leads to a
bad search filter:

|Debug:   [ldap_WLAN_auth] - ldap_xlat
|Info:        expand:
ldap:///cn=UserAccounts,dc=NI-NGN,dc=DE?cn?sub?(&(CommonName=%{TLS-Client-Cert-Common-Name})(allowedSSID=%{Aruba-Essid-Name}))
-> ldap:///cn=UserAccounts,dc=DE?cn?sub?(&(CommonName=Testuser(10)
Daniel)(allowedSSID=ssid-data))
|Debug:   [ldap_WLAN_auth] ldap_get_conn: Checking Id: 0
|Debug:   [ldap_WLAN_auth] ldap_get_conn: Got Id: 0
|Debug:   [ldap_WLAN_auth] performing search in cn=UserAccounts,dc=DE, with
filter (&(CommonName=Testuser(10) Daniel)(allowedSSID=ssid-data))
|ldap_search() failed: Bad search filter: (&(CommonName=Testuser(10)
Daniel)(allowedSSID=ssid-data))
|Debug:   [ldap_WLAN_auth] Search returned error
|Debug:   [ldap_WLAN_auth] ldap_release_conn: Release Id: 0
|Info:        expand:
%{ldap_WLAN_auth:ldap:///cn=UserAccounts,dc=DE?cn?sub?(&(CommonName=%{TLS-Client-Cert-Common-Name})(allowedSSID=%{Aruba-Essid-Name}))}
->


If I have searched correctly it should work if I rewrite the Attribute with
\28 for ( and \29 for ) (as ascii string, not escaped :-))

As it seems the rewrite Module is not the solution as i could not get it to
do this :-)

It works as I expected it to do if the CommonName does not contain the
Parentheses.
Any Ideas to work around these Parentheses? Preferably using any Char
allowed in the Common Name, as i expect it to contain Umlauts or an & Char.

Greetings,
Daniel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4481 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120829/487facbe/attachment.bin>

More information about the Freeradius-Users mailing list