Safe characters, old and new versions of 3.1.0

Franks Andy (IT Technical Architecture Manager) Andy.Franks at
Thu Jan 7 14:13:34 CET 2016

Hi all,
  Sorry to post so much, struggling with differences again in the newer version of FR I have on a server. The older is 3.1.0 git #390f216, the newer 3.1.0 git #f4d5ff6.

We're seeing differences in the way unusual characters are handled in the older version when compared with the newer, in terms of the way variable values with certain characters are expanded.
The main problem is it mucks up the SQL character writing - the frontend comes up with an odd asci character that in theory shouldn't be written according to the "safe characters" list afaics.
I can't change what's in the ldap description field we use as the source of this attribute unfortunately - a third party system writes into it which we have no change access to.

Anyway, below are examples on old and new of the ldap attribute source, an example variable expansion of that attribute and lastly what goes into SQL. The examples aren't quite indentical as one is a live system that's so busy it's hard to get exactly the same string from it. Generally the string is "Amended by Directory Manager dd\mm\yyyy" in AD, but that comes over to ldap as dd\\mm?y for some reason, presumably because of weird characters in the string that look ok in AD console. What gets inserted after that into SQL is, on the old server,
"Amended by Directory Manager dd(asciicode)mm(asciicode)yy"
Which appears fine within mysql.

On the new server

"Amended by Directory Manager dd\\mm?y" plus some other non-visible stuff I guess, which isn't fine. In SQL is looks like a square box, not sure of the actual ascii code.
This character doesn't seem to be part of the "safe characters". Also on the old server and new one, the ordinary backslash makes its way through to sql but I can't see it on the SC list.
Any ideas?! Is there any way of replicating old behaviour or fixing the new?

Old server
(35) ldap3:     control:Ldap-UserDescription := 'Amended by Directory Manager 26\\08?5'

Variable expansion

(35)           EXPAND %{control:LinelogString}, DESC: %{control:Ldap-UserDescription}
(35)              --> 07-01-2016 11:13:51, WEBSTERC at, Accept, DESC: Amended by Directory Manager 26\\08\2015

Sql config:
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
'Amended by Directory Manager 26=5C08=815'

New server
(10) ldap5: control:Ldap-UserDescription := 'Amended by Directory Manager 02\\12?4'

Variable expansion

(10)             EXPAND %{control:LinelogString}, DESC: %{control:Ldap-UserDescription}
(10)                --> 07-01-2016 10:48:56, franksa, Accept, DESC: Amended by Directory Manager 02\\12\2014


Sql config:
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
Amended by Directory Manager 02\\12?4'

More information about the Freeradius-Users mailing list