LDAP group - samaccountname

Alan DeKok aland at deployingradius.com
Tue Feb 4 21:21:20 CET 2020



> On Feb 4, 2020, at 2:42 PM, Olivier Mahieu <o_mahieu at hotmail.com> wrote:
> 
> Hello,
> 
> Using the LDAP module in post-auth section (PEAP-MSCHAPv2); the correct user group is not found for VLAN assignment.
> I think it has to do with the samaccountname. 5c5cAdministrator instead of Administrator.

(9) Received Access-Request Id 111 from 192.168.56.3:1645 to 192.168.56.20:1812 length 261
(9)   User-Name = "AD-OM\\Administrator"

  That's generally not a good idea.  i.e. account names with backslashes. etc.

(9)     EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(9)        --> (samaccountname=AD-OM\5c5cAdministrator)
(9)     Performing search in "dc=MAH,dc=TEST" with filter "(samaccountname=AD-OM\5c5cAdministrator)", scope "sub"

  FreeRADIUS escapes the backslashes for security reasons.  Otherwise the users could add magic characters, change the ldap query, and do bad things.

  What is the account name in LDAP?  Does it have the backslashes in it?

  Alan DeKok.




More information about the Freeradius-Users mailing list