Using ldap_xlat in unlang with Chars not allowed in an ldap search

Daniel Finger daniel.finger at
Wed Aug 29 17:00:31 CEST 2012


I have a Problem using the ldap Module to search in the ldap Tree for a
specific Attribute Containing a (.

I am using FreeRadius (2.1.12) for 802.1X Authentification (EAP-TLS) which
is working fine. After successful EAP Authentication, I want to check if the
User has an Entry in the LDAP:

During authenticate (I just changed a bit of formattig to have it readable

Auth-Type eap {
        # Some Code to react to EAP Auth Failures

if ( "%{TLS-Client-Cert-Common-Name}" != "" ) {
	update control {
	    Tmp-String-1 =
if ("%{control:Tmp-String-1}" == "") {
	update control {
		Auth-Type := "Reject"
	update reply {
		Reply-Message = "The user %{User-Name} is not known or
				allowed to access the SSID %{Aruba-Essid-

Now the {TLS-Client-Cert-Common-Name} contains a ( and a ) which leads to a
bad search filter:

|Debug:   [ldap_WLAN_auth] - ldap_xlat
|Info:        expand:
-> ldap:///cn=UserAccounts,dc=DE?cn?sub?(&(CommonName=Testuser(10)
|Debug:   [ldap_WLAN_auth] ldap_get_conn: Checking Id: 0
|Debug:   [ldap_WLAN_auth] ldap_get_conn: Got Id: 0
|Debug:   [ldap_WLAN_auth] performing search in cn=UserAccounts,dc=DE, with
filter (&(CommonName=Testuser(10) Daniel)(allowedSSID=ssid-data))
|ldap_search() failed: Bad search filter: (&(CommonName=Testuser(10)
|Debug:   [ldap_WLAN_auth] Search returned error
|Debug:   [ldap_WLAN_auth] ldap_release_conn: Release Id: 0
|Info:        expand:

If I have searched correctly it should work if I rewrite the Attribute with
\28 for ( and \29 for ) (as ascii string, not escaped :-))

As it seems the rewrite Module is not the solution as i could not get it to
do this :-)

It works as I expected it to do if the CommonName does not contain the
Any Ideas to work around these Parentheses? Preferably using any Char
allowed in the Common Name, as i expect it to contain Umlauts or an & Char.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4481 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <>

More information about the Freeradius-Users mailing list