3.0.17 password ending in '\' problem, LDAP backend [bug?]

Kostas Zorbadelos kzorba at otenet.gr
Mon Sep 10 15:25:50 CEST 2018

On Παρ, Σεπ 07 2018 at 04:46:35 μμ, Alan DeKok <aland at deployingradius.com> wrote:

Hi Alan and all,

a quick update on this, to have it for future reference.

>  Map the LDAP userPassword attribute to a binary attribute, e.g. Tmp-Octets-0.  Then, copy that to Cleartext-Password:
>	ldap
>	if (control:Tmp-Octets-0) {
>		update control {
>			Cleartext-Password := &control:Tmp-Octets-0
>		}
>	}
>> quickly tried your proposed fix in production. Did not seem to work:
>   Hmm.. 

The above solution did not work exactly as is. A minor patch was needed:

if (control:Tmp-Octets-0) {
   update control {
          Cleartext-Password := "%{string:control:Tmp-Octets-0}"

The binary attribute would need to be converted to string for the
comparison in pap to work.

>> ...
>> (33318) Fri Sep  7 15:41:31 2018: Debug: pap: Login attempt with password
>> (33318) Fri Sep  7 15:41:31 2018: Debug: pap: Comparing with "known good" Cleartext-Password
>> (33318) Fri Sep  7 15:41:31 2018: ERROR: pap: Cleartext password does not match "known good" password
>> (33318) Fri Sep  7 15:41:31 2018: Debug: pap: Passwords don't match
>     You'll have to look at the contents of Cleartext-Password to see
>     what's going on here.  Just log it to a file. 

radiusd -X showed the exact value of Cleartext-Password.

<academic interest> I wonder how I
could log it to a file however. detail.log did not work. Should I use
</academic interest>

>> Could it be that radclient actually sends '\\' at the end of the
>> password, as shown in the debug output?
>   No.  That's just due to the rules for escaping the double-quoted
>   string. 

Indeed I verified that in a pcap capture.

The whole escaping in shell strings always confused me so I try to stay
away from it :) Have you implemented the string escape rules of bash?

For example I tried to send a password ending in '\\' through radclient.
I had to input

User-Password = "test123\\\\\\\\"

in the attribute file!

>> The ldap stored password
>> contains only a single '\' in the end. PAP comparison therefore seems to
>> fail. Is there a way to send a single '\' at the end of User-password to
>> debug this? Am I again missing something?
>   The issue is that backslash is used inside strings to mean that something is being escaped.  So it can't really be used all by itself.
>   The only other solution then is to copy the User-Password to an octets attribute, and compare them manually:
> 	if (control:Tmp-Octets-0 && User-Password) {
> 		update request {
> 			Tmp-Octets-0 := &User-Password
> 		}
> 		if (&control:Tmp-Octets-0 == &request:Tmp-Octets-0) {
> 			accept
> 		}
> 		else {
> 			reject
> 		}
> 	}

I did't need to resort to this. I think that was good, because I didn't
like to idea to bypass the pap authentication module.

Thanks again for the support.
Best regards,


Kostas Zorbadelos	http://gr.linkedin.com/in/kzorba		

More information about the Freeradius-Users mailing list