3.0.17 password ending in '\' problem, LDAP backend [bug?]

Alan DeKok aland at deployingradius.com
Mon Sep 10 17:34:34 CEST 2018

On Sep 10, 2018, at 9:25 AM, Kostas Zorbadelos <kzorba at otenet.gr> wrote:
> The above solution did not work exactly as is. A minor patch was needed:
> if (control:Tmp-Octets-0) {
>   update control {
>          Cleartext-Password := "%{string:control:Tmp-Octets-0}"
>   }
> }

  That's fine.  You could use "&" too, which is required in v4.  But it's fine for v3.

> <academic interest> I wonder how I
> could log it to a file however. detail.log did not work.

  The detail module can log any attribute if you configure the module correctly.

  The detail.log file logs replies by default, not attributes in the control list.

> Should I use
> linelog? 
> </academic interest>

  That works, too.

> The whole escaping in shell strings always confused me so I try to stay
> away from it :) Have you implemented the string escape rules of bash?\

  We've implemented the string escape rules for single and double-quotes 

> For example I tried to send a password ending in '\\' through radclient.
> I had to input
> User-Password = "test123\\\\\\\\"

  Hmm... that doesn't look right.  It should be simpler than that.

  If you're piping the attribute through a shell, then those escaping rules apply *on top of* what FreeRADIUS does.

  But if you do radclient -f file, then the attributes in "file" shouldn't need 3 layers of escaping.  Just one.

  Alan DeKok.

More information about the Freeradius-Users mailing list