[Solved] Re: Strange behaviour (?) on Windows authentication
Arnaud Forster
arnaud.forster at mwprog.ch
Thu May 17 20:38:22 CEST 2018
Hello Alan,
thanks for the informations :)
In the meatime I found an old post from 2011 where there was this
information ;
/Edit the "proxy.conf" file and add:/
/realm OPTARE {//
//}/
/
//Then edit raddb/sites-enabled/default and add://
////
//authorize {//
// preprocess//
// ntdomain//
// .... rest of config//
//}/
So I tried that and it worked ! :)
Thanks again for the help
Arnaud
Le 17.05.2018 à 20:04, Alan DeKok a écrit :
> On May 17, 2018, at 2:23 AM, Arnaud Forster <arnaud.forster at mwprog.ch> wrote:
>> I requested a few months ago some help about allowing some specific users being able to connect on specific wifi systems. A received some great help by adding a test to check if the user belongs to the specific group. This works like a charm for computers *not *belonging to the ldap domain.Today, I've another problem with that authentication for a computer belonging to the ldap domain. I made a log and there's something I don't understand.
>>
>> the username is there and correc (MyUserName) but suddenly, before checking if it belongs to the group 'Enseignants' here, the text '*5c5c' *is added to my username. It seems that this is the text 5c5cMyUserName that is checked instead of MyUserName.
> The hex code 5C is the ASCII code for the backslash character.
>
> FreeRADIUS encodes backslashes when it queries databases. Otherwise, users could do SQL (or LDAP) injection attacks.
>
>> Can someone understand that ? I've no idea from where comes this '5c5c' text and why this works for computers not belonging to the domain...
>>
>> Really thanks for your help ;)
>>
>> Arnaud
>>
>>
>> (1) Received Access-Request Id 193 from <a wifi system> length 219
>> (1) User-Name = "MyDomain\\MyUserName"
> If that's getting converted to 5c5c, you might try upgrading to 3.0.17. You're running an older version of the database.
>
> Newer versions will still do the escaping, but only once.
>
> The short answer for a solution is that you need to set up "MyDomain" as a LOCAL realm in raddb/proxy.conf. The server will then use "MyUserName" to look up the user in LDAP.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list