Transformation of the + symbol -- FRS 3.0.11

Mark Williams martialstudy at
Thu Nov 3 12:04:29 CET 2016

The dn includes the nuid, which is significantly large number we generate randomly when 'People' records are created. Records are similar to this:

dn: nuid=007,ou=People,ou=NIS,o=vt
nuid: 007
uid: bob
sn: bob
cn: CN - bob
objectClass: nisUserAccount
objectClass: inetOrgPerson
objectClass: radiusprofile
prohibited: FALSE
userPassword:: hashedblahblahblah

dn: nuid=008,ou=Entitlements,ou=NIS,o=vt
nuid: 008
entitled: nuid=007,ou=People,ou=NIS,o=vt
entitledUID: bob
entitlement: service.wireless
objectClass: nisEntitlement

We filter on the unique 'uid' field, and then an 'entitleduid' field:

The ldap config in both versions:

ldap {
server = "localhost"
port = 11389
base_dn = "ou=NIS,o=vt"
identity = "uid=radius,ou=Local,${base_dn}"
        password = blahblahblah
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'ntPassword'
                control:Prohibited      := 'prohibited'
user {
base_dn = "ou=People,${..base_dn}"
                filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = 'sub'
group {
base_dn = "ou=Entitlements,${..base_dn}"
filter = "(objectClass=nisEntitlement)"
scope = 'sub'
name_attribute = "entitlement"
                membership_filter = "(&(entitledUID=%{Stripped-User-Name})(|(!(expirationEpoch=*))(expirationEpoch>=%l)))"

From: Freeradius-Users < at> on behalf of Arran Cudbard-Bell <a.cudbardb at>
Sent: Wednesday, November 02, 2016 2:33 PM
To: FreeRadius users mailing list
Subject: Re: Transformation of the + symbol -- FRS 3.0.11

> On Nov 2, 2016, at 2:26 PM, Mark Williams <martialstudy at> wrote:
> It does have a special meaning, but the method which FR is escaping the + character seems to have changed since version 3.0.4, and doesn't appear to be working (in my environment at least).

What's the DN of the object you're actually trying to resolve?


More information about the Freeradius-Users mailing list