UserDN escape problem and Group membership checking in 3.0.3
Winders, Timothy A
twinders at southplainscollege.edu
Wed Nov 19 23:07:10 CET 2014
On 11/19/14, 3:57 PM, "Arran Cudbard-Bell" <a.cudbardb at freeradius.org>
wrote:
>
>Alan and I just discussed this offline, and we think we've determined the
>correct fix.
>
>The issue is with the string expansion code. When it finds an attribute
>expansion in
>the string such as %{control:Ldap-UserDN}, it tries to make it safe by
>escaping chars
>with special meanings like \r \n \.
>
>It does this *even* if an escaping callback is provided by the module
>wanting to
>do the string expansion.
>
>So before the LDAP escape function ever gets the string "CN=Winders\,
>Tim" it has
>become "CN=winders\\, Tim".
>
>Which then gets encoded to "CN\3dWinders\5c\5c\2c Tim".
>
>The fix appears to be, to hand off escaping completely to the escape
>function if one
>is set by the module, and to do the normal escaping otherwise.
>
>I'll add a fix, but it'll probably go into 3.0.6 as this may change other
>behaviour.
>
>-- Regarding liveness of zip files, that one will be the HEAD of the repo.
>-- Regarding building debs 'make deb'
>
You guys rock!
I¹m happy with the current solution and will be looking for the 3.0.6
release for the complete fix!
--
Tim Winders
Associate Dean of Information Technology
South Plains College
(806) 716-2369
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5856 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141119/9c8c6049/attachment.bin>
More information about the Freeradius-Users
mailing list