[Solved] Re: Strange behaviour (?) on Windows authentication

Arnaud Forster arnaud.forster at mwprog.ch
Thu May 17 20:38:22 CEST 2018 

Hello Alan,

thanks for the informations :)

In the meatime I found an old post from 2011 where there was this 
information ;

/Edit the "proxy.conf" file and add:/

    /realm OPTARE {//
    //}/

/
//Then edit raddb/sites-enabled/default and add://
////
//authorize {//
// preprocess//
// ntdomain//
// .... rest of config//
//}/

So I tried that and it worked ! :)

Thanks again for the help

Arnaud


Le 17.05.2018 à 20:04, Alan DeKok a écrit :
> On May 17, 2018, at 2:23 AM, Arnaud Forster <arnaud.forster at mwprog.ch> wrote:
>> I requested a few months ago some help about allowing some specific users being able to connect on specific wifi systems. A received some great help by adding a test to check if the user belongs to the specific group. This works like a charm for computers *not *belonging to the ldap domain.Today, I've another problem with that authentication for a computer belonging to the ldap domain. I made a log and there's something I don't understand.
>>
>> the username is there and correc (MyUserName)  but suddenly, before checking if it belongs to the group 'Enseignants' here, the text '*5c5c' *is added to my username. It seems that this is the text 5c5cMyUserName that is checked instead of MyUserName.
>    The hex code 5C is the ASCII code for the backslash character.
>
>    FreeRADIUS encodes backslashes when it queries databases.  Otherwise, users could do SQL (or LDAP) injection attacks.
>
>> Can someone understand that ? I've no idea from where comes this '5c5c' text and why this works for computers not belonging to the domain...
>>
>> Really thanks for your help ;)
>>
>> Arnaud
>>
>>
>> (1) Received Access-Request Id 193 from <a wifi system> length 219
>> (1)   User-Name = "MyDomain\\MyUserName"
>    If that's getting converted to 5c5c, you might try upgrading to 3.0.17.  You're running an older version of the database.
>
>    Newer versions will still do the escaping, but only once.
>
>    The short answer for a solution is that you need to set up "MyDomain" as a LOCAL realm in raddb/proxy.conf.  The server will then use "MyUserName" to look up the user in LDAP.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list