Transformation of the + symbol -- FRS 3.0.11
Mark Williams
martialstudy at hotmail.com
Wed Nov 2 19:26:21 CET 2016
It does have a special meaning, but the method which FR is escaping the + character seems to have changed since version 3.0.4, and doesn't appear to be working (in my environment at least).
If I run radtest against FRS-3.0.4 I get debug like this:
(10356) Wed Nov Checking for suffix after "@"
(10356) Wed Nov Looking up realm "vt.edu" for User-Name = "bob+ipad1 at vt.edu"
(10356) Wed Nov Found realm "vt.edu"
(10356) Wed Nov Adding Stripped-User-Name = "bob+ipad1"
(10356) Wed Nov Adding Realm = "vt.edu"
(10356) Wed Nov Authentication realm is LOCAL
(10356) Wed Nov 2 13:53:33 2016 : Debug: [suffix] = ok
(10356) Wed NoNo EAP-Message, not doing EAP
(10356) Wed Nov 2 13:53:33 2016 : Debug: [eap] = noop
(10356) Wed NovEXPAND (&(uid=%{Stripped-User-Name}))
(10356) Wed Nov --> (&(uid=bob\2bipad1))
(10356) Wed NovEXPAND ou=People,ou=NIS,o=vt
(10356) Wed Nov --> ou=People,ou=NIS,o=vt
(10356) Wed NovPerforming search in 'ou=People,ou=NIS,o=vt' with filter '(&(uid=bob\2bipad1))', scope 'sub'
(10356) Wed NovWaiting for search result...
(10356) Wed NovUser object found at DN "nuid=007,ou=Agents,ou=People,ou=NIS,o=vt"
(10356) Wed NovProcessing user attributes
And the corresponding OpenLDAP logs appear so:
2016-11-02T13:43:33.525988-04:00 ldap01.cns.vt.edu slapd[2685]: conn=226728 op=333 SRCH base="ou=People,ou=NIS,o=vt" scope=2 deref=0 filter="(&(uid=bob+ipad1))"
2016-11-02T13:43:33.526006-04:00 ldap01.cns.vt.edu slapd[2685]: conn=226728 op=333 SRCH attr=userPassword ntPassword prohibited
2016-11-02T13:43:33.526009-04:00 ldap01.cns.vt.edu slapd[2685]: conn=226728 op=333 SEARCH RESULT tag=101 err=0 nentries=1 text=
Running it against FRS-3.0.11 I get debug like this:
(7474379) Wed Nov 2 13:37:02 2016: Debug: suffix: Checking for suffix after "@"
(7474379) Wed Nov 2 13:37:02 2016: Debug: suffix: Looking up realm "vt.edu" for User-Name = "bob+ipad1 at vt.edu"
(7474379) Wed Nov 2 13:37:02 2016: Debug: suffix: Found realm "~vt.edu$"
(7474379) Wed Nov 2 13:37:02 2016: Debug: suffix: Adding Stripped-User-Name = "bob+ipad1"
(7474379) Wed Nov 2 13:37:02 2016: Debug: suffix: Adding Realm = "vt.edu"
(7474379) Wed Nov 2 13:37:02 2016: Debug: suffix: Authentication realm is LOCAL
(7474379) Wed Nov 2 13:37:02 2016: Debug: [suffix] = ok
(7474379) Wed Nov 2 13:37:02 2016: Debug: eap: No EAP-Message, not doing EAP
(7474379) Wed Nov 2 13:37:02 2016: Debug: [eap] = noop
(7474379) Wed Nov 2 13:37:02 2016: Debug: [files] = noop
(7474379) Wed Nov 2 13:37:02 2016: Debug: ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7474379) Wed Nov 2 13:37:02 2016: Debug: ldap: --> (uid=bob\5c2bipad1)
(7474379) Wed Nov 2 13:37:02 2016: Debug: ldap: Performing search in "ou=People,ou=NIS,o=vt" with filter "(uid=bob\5c2bipad1)", scope "sub"
(7474379) Wed Nov 2 13:37:02 2016: Debug: ldap: Waiting for search result...
(7474379) Wed Nov 2 13:37:02 2016: Debug: ldap: Search returned no results
(7474379) Wed Nov 2 13:37:02 2016: Debug: [ldap] = notfound
And the corresponding OpenLDAP logs appear so:
2016-11-02T13:37:02.360308-04:00 midge.cns.vt.edu slapd[3369]: conn=37934 op=43 SRCH base="ou=People,ou=NIS,o=vt" scope=2 deref=0 filter="(uid=bob\5C2bipad1)"
2016-11-02T13:37:02.360550-04:00 midge.cns.vt.edu slapd[3369]: conn=37934 op=43 SRCH attr=userPassword ntPassword prohibited radiusControlAttribute radiusRequestAttribute radiusReplyAttribute
2016-11-02T13:37:02.360818-04:00 midge.cns.vt.edu slapd[3369]: conn=37934 op=43 SEARCH RESULT tag=101 err=0 nentries=0 text=
<http://aka.ms/weboutlook>
________________________________
From: Freeradius-Users <freeradius-users-bounces+martialstudy=hotmail.com at lists.freeradius.org> on behalf of Alan DeKok <aland at deployingradius.com>
Sent: Tuesday, October 18, 2016 2:05 PM
To: FreeRadius users mailing list
Subject: Re: Transformation of the + symbol -- FRS 3.0.11
On Oct 18, 2016, at 10:44 AM, Mark Williams <martialstudy at hotmail.com> wrote:
>
> Any idea why the + symbol is being transformed in the ldap filter? Should I be using a different syntax for the attribute substitution?
The + character has special meaning in LDAP. As such, it's escaped.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list