Using ldap_xlat in unlang with Chars not allowed in an ldap search

Phil Mayers p.mayers at
Thu Sep 20 18:28:11 CEST 2012

On 29/08/12 17:42, Phil Mayers wrote:

> There's no easy way to do this with the built-in LDAP code. When the
> "xlat" is called, it's called with one big string i.e. the un-escaped
> value is already inside the string, and can't be escaped.

Actually, following this up: I'm wrong here, due to misunderstanding how 
the xlat & escape stuff applies.

I think the actual problem is that ldap_xlat doesn't use the 
ldap_escape_func on the URL, because the escape func was added after the 
xlat, and the xlat not updated. That is, it's a simple bug.

If you edit rlm_ldap.c around line 1231, and change:

   if (!radius_xlat(url, sizeof(url), fmt, request, func))

   if (!radius_xlat(url, sizeof(url), fmt, request, ldap_escape_func))

...this should work. I'll submit a one-liner.

More information about the Freeradius-Users mailing list