LDAP distinguished name escaping
Rob Johnson [rbj]
rbj at aber.ac.uk
Fri Sep 16 15:58:40 CEST 2016
Hi all,
I am pretty new to freeradius so please bear with me.
Version 3.0.11
I am using the python module to return a DN based off the caller IP:
def authorize(p):
print "*** authorize ***"
ip = getValue(p,'NAS-IP-Address')
if ip == xxx.xxx.xxx.xxx:
LDAPBaseDN = 'OU=MIS,OU=Auth,DC=ldap,DC=xx,DC=xx,DC=xx
else:
LDAPBaseDN = 'OU=Radius,OU=Auth,DC=ldap,DC=xx,DC=xx,DC=xx
#LDAPBaseDN = 'OURadius'
radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***')
reply = (('Tmp-String-0',LDAPBaseDN),)
return (radiusd.RLM_MODULE_OK, reply, None)
This works and returns:
*** authorize ***
*** radlog call in authorize ***
rlm_python:authorize: 'reply:Tmp-String-0' = 'OU=Radius,OU=Auth,DC=ldap,DC=xx,DC=xx,DC=xx'
(0) [python] = ok
But the problem lies in the ldap module by where I am trying to access the value in order to formulate my base_dn value:
base_dn = "%{reply:Tmp-String-0}"
The DN is escaped and obviously the the ldap bind fails due to the escaping:
ldap: EXPAND %{reply:Tmp-String-0}
(0) ldap: --> OU\3dRadius\2cOU\3dAuth\2cDC\3dldap\2cDC\3dxx\2cDC\3dxx\2cDC\3dxx
(0) ldap: Performing search in "OU\3dRadius\2cOU\3dAuth\2cDC\3dldap\2cDC\3dxx\2cDC\3dxx\2cDC\3dxx" with filter "(CN=radius)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: ERROR: Failed performing search: Invalid DN syntax
I have tried using the ldap unescape method but to no joy.
Please can someone help?
Thanks, Rob
--------------------------------------------------------------------
Un o'r 4 prifysgol uchaf yn y DU a'r gorau yng Nghymru am fodlonrwydd myfyrwyr
(Arolwg Cenedlaethol y Myfyrwyr 2016)
www.aber.ac.uk
Top 4 UK university and best in Wales for student satisfaction
(National Student Survey 2016)
www.aber.ac.uk
More information about the Freeradius-Users
mailing list