PEAP with LDAP Cleartext Password including backslash
Alan DeKok
aland at deployingradius.com
Wed Jun 27 23:01:38 CEST 2018
On Jun 27, 2018, at 3:25 AM, kaoru eto <etokaoru.frml at gmail.com> wrote:
> I am trying to use backslash in userPassword like 'Pass\100word'.
Unfortunately, a bare backslash isn't really supported. The server needs backslashes in order to escape *other* special characters in the password.
e.g. quotation marks.
> 3.what you expect the server to do
>
> Access-Accept with password 'Pass\100word'.
> Access-Reject with password 'Pass at word'.
Because "\100" is ASCII "@".
> I tried changing single backslash 'Pass\100word' to double backslash
> 'Pass\\100word' on the LDAP server, and got Access-Accept with
> password 'Pass\100word'.
That's how it works.
> But, we hardly control this problem by changing the userPassword
> attribute rules of LDAP server, because other systems which we can not
> control use the same LDAP server.
>
> Is there any workaround in freeradius configurations?
You can map the LDAP password to a RADIUS attribute of type "octets". It will then the copied verbatim.
Then, copy that attribute to Cleartext-Password. I *think* it will work.
Edit raddb/dictionary, and add:
ATTRIBUTE My-Raw-Password 3003 octets
e.g. edit raddb/mods-enabled/ldap
Replace:
control:Password-With-Header += 'userPassword'
With:
control:My-Raw-Password += 'userPassword'
And then in the "authorize" section, after "ldap", do:
if (control:My-Raw-Password) {
update control {
Cleartext-Password := &My-Raw-Password
}
}
That should copy it over without escaping the backslash.
Alan DeKok.
More information about the Freeradius-Users
mailing list