3.0.17 password ending in '\' problem, LDAP backend [bug?]

Alan DeKok aland at deployingradius.com
Fri Sep 7 15:46:35 CEST 2018

On Sep 7, 2018, at 9:02 AM, Kostas Zorbadelos <kzorba at otenet.gr> wrote:
> quickly tried your proposed fix in production. Did not seem to work:


> ...
> (33318) Fri Sep  7 15:41:31 2018: Debug: pap: Login attempt with password
> (33318) Fri Sep  7 15:41:31 2018: Debug: pap: Comparing with "known good" Cleartext-Password
> (33318) Fri Sep  7 15:41:31 2018: ERROR: pap: Cleartext password does not match "known good" password
> (33318) Fri Sep  7 15:41:31 2018: Debug: pap: Passwords don't match

    You'll have to look at the contents of Cleartext-Password to see what's going on here.  Just log it to a file.

> Could it be that radclient actually sends '\\' at the end of the
> password, as shown in the debug output?

  No.  That's just due to the rules for escaping the double-quoted string.

> The ldap stored password
> contains only a single '\' in the end. PAP comparison therefore seems to
> fail. Is there a way to send a single '\' at the end of User-password to
> debug this? Am I again missing something?

  The issue is that backslash is used inside strings to mean that something is being escaped.  So it can't really be used all by itself.

  The only other solution then is to copy the User-Password to an octets attribute, and compare them manually:

	if (control:Tmp-Octets-0 && User-Password) {
		update request {
			Tmp-Octets-0 := &User-Password

		if (&control:Tmp-Octets-0 == &request:Tmp-Octets-0) {
		else {


  Alan DeKok.

More information about the Freeradius-Users mailing list