Escaping * in ldap filters

Alan DeKok aland at
Tue Nov 15 15:06:00 CET 2016

On Nov 14, 2016, at 3:33 AM, Peter Lambrechtsen <peter at> wrote:
> Running 3.0.x head from a few months ago.
> I'm trying to have a ldap search filter that if I don't have an existing
> VSA set then default to a *
> filter = "(&(SIID=%{Alc-Subsc-ID-Str})(Line=%{%{LineID}:-*}))"
> That in theory should mean if I don't have a LineID included in the request
> then I would return * instead, but it keeps on getting escaped.

  We really need functionality like Perl's "taint" mode.  Data taken from a configuration file is "clean".  Data taken from the network is "tainted".  Which would solve this issue.

  But... doing that work isn't trivial.  And we're busy with a lot of other changes, including 4.0 async support.

  In some cases, you can put the filter into an attribute, and then use that.  I'm not sure that works here, though.

  I'll take a look...

  Alan DeKok.

More information about the Freeradius-Users mailing list