3.0.17 password ending in '\' problem, LDAP backend [bug?]

Alan DeKok aland at deployingradius.com
Fri Sep 7 13:39:30 CEST 2018

On Sep 7, 2018, at 4:13 AM, Kostas Zorbadelos <kzorba at otenet.gr> wrote:
> just finished a project upgrading a big authentication infrastructure
> from freeradius 2.2.X to 3.0.17. I face a problem with very few users
> whose passwords end in '\'. They used to work in freeradius 2.

  We fixed all of the handling of the backslash character in v3.  Before that, it was random and inconsistent.

  Now, the rules are the same as for shells.  Which is what people are used to, and what makes sense.

> Debugging output (stripping the sensitive information):
> kzorba at system(0)[10:19 AM]~/radius->cat test_kzorba1.txt 
> User-Name = kzorba1 at otenet.gr
> NAS-Port-Type = xDSL
> User-Password = test123\

  i.e. User-Password = "test123\"

  Which for shells, is an invalid  quoted string.  So, it's invalid here.

> NAS-Port = 12234455
> using freeradius 3.0.17 radclient:
> kzorba at system(0)[10:26 AM]~/radius->/opt/freeradius3-auth/bin/radclient -f test_kzorba1.txt -x localhost:1812 auth XXXXX
> (0) Error parsing "test_kzorba1.txt": Invalid escape at end of string
> radclient: Failed parsing input files


> With radclient 3.0.17 I needed to add an extra \ at the end of the
> User-Password to send the request. No Cleartext-Password is set.

  Yes.  That's the normal rule for double-quoted strings.

  Cleartext-Password is for the server.  If you set it in radclient, it will be ignored.

> Independent of which radclient is used, the server has the same behavior
> demonstrated in the following debug (using radmin in production,
> excellent feature by the way)

  The server works, and will accept backslashes in passwords.

> (13592044) Fri Sep  7 10:22:40 2018: WARNING: ldap_1: Failed parsing value "test123\\" for attribute Cleartext-Password: Invalid escape at end of string

  Yes, the same rules for double quoted strings apply here.

> In the ldap entry of the user, the password is stored with a (single) ending
> '\'.
> Here is the relevant config of the ldap module in my case (again
> sensitive information stripped)

  Please don't post module config to the list.  We don't need it.

  See: http://wiki.freeadius.org/list-help

> Is this a bug (looks like to me), feature, or am I missing something?

  It's *fixing* a bug.

> Could I do something with unlang, or in the ldap module config in this
> case?

  Map the LDAP userPassword attribute to a binary attribute, e.g. Tmp-Octets-0.  Then, copy that to Cleartext-Password:

	if (control:Tmp-Octets-0) {
		update control {
			Cleartext-Password := &control:Tmp-Octets-0

 Alan DeKok.

More information about the Freeradius-Users mailing list