LDAP distinguished name escaping

Rob Johnson [rbj] rbj at aber.ac.uk
Fri Sep 16 15:58:40 CEST 2016

Hi all,

I am pretty new to freeradius so please bear with me.

Version 3.0.11

I am using the python module to return a DN based off the caller IP:

def authorize(p):
  print "*** authorize ***"

  ip = getValue(p,'NAS-IP-Address')

  if ip == xxx.xxx.xxx.xxx:
      LDAPBaseDN = 'OU=MIS,OU=Auth,DC=ldap,DC=xx,DC=xx,DC=xx
      LDAPBaseDN = 'OU=Radius,OU=Auth,DC=ldap,DC=xx,DC=xx,DC=xx
      #LDAPBaseDN = 'OURadius'

  radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***')

  reply = (('Tmp-String-0',LDAPBaseDN),)

  return (radiusd.RLM_MODULE_OK, reply, None)

This works and returns:

*** authorize ***
*** radlog call in authorize ***
rlm_python:authorize: 'reply:Tmp-String-0' = 'OU=Radius,OU=Auth,DC=ldap,DC=xx,DC=xx,DC=xx'

(0)        [python] = ok

But the problem lies in the ldap module by where I am trying to access the value in order to formulate my base_dn value:

base_dn = "%{reply:Tmp-String-0}"

The DN is escaped and obviously the the ldap bind fails due to the escaping:

ldap: EXPAND %{reply:Tmp-String-0}
(0) ldap:    --> OU\3dRadius\2cOU\3dAuth\2cDC\3dldap\2cDC\3dxx\2cDC\3dxx\2cDC\3dxx
(0) ldap: Performing search in "OU\3dRadius\2cOU\3dAuth\2cDC\3dldap\2cDC\3dxx\2cDC\3dxx\2cDC\3dxx" with filter "(CN=radius)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: ERROR: Failed performing search: Invalid DN syntax

I have tried using the ldap unescape method but to no joy.

Please can someone help?

Thanks, Rob

Un o'r 4 prifysgol uchaf yn y DU a'r gorau yng Nghymru am fodlonrwydd myfyrwyr
(Arolwg Cenedlaethol y Myfyrwyr 2016)

Top 4 UK university and best in Wales for student satisfaction
(National Student Survey 2016)

More information about the Freeradius-Users mailing list